US20150074812A1 - Detecting Malicious Use of Computer Resources by Tasks Running on a Computer System - Google Patents
Detecting Malicious Use of Computer Resources by Tasks Running on a Computer System Download PDFInfo
- Publication number
- US20150074812A1 US20150074812A1 US14/547,359 US201414547359A US2015074812A1 US 20150074812 A1 US20150074812 A1 US 20150074812A1 US 201414547359 A US201414547359 A US 201414547359A US 2015074812 A1 US2015074812 A1 US 2015074812A1
- Authority
- US
- United States
- Prior art keywords
- computer system
- host computer
- port
- tasks
- management
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44505—Configuring for program initiating, e.g. using registry, configuration files
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3466—Performance evaluation by tracing or monitoring
- G06F11/3495—Performance evaluation by tracing or monitoring for systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2101—Auditing as a secondary aspect
Definitions
- the present disclosure relates to computer systems and software, and more specifically, to managing computer resources. Still more specifically, the present disclosure relates to a method and system for detecting malicious use of computer resources by a task running on a computer system.
- Unwanted tasks frequently use complex techniques to hide from users of the host computer system.
- Various technologies have been proposed to detect “rootkits” and other stealth install techniques. These existing techniques require the querying of the host computer system through local means in a powered and unpowered state. These existing techniques, in particular, the process of assessing a host computer system in an unpowered state, is highly disruptive and time-consuming. As such, a need is present for administrators to effectively identify the presence of such installations without powering down the host computer system.
- Unwanted software and malware run as tasks on the host computer systems. These unwanted tasks use computer resources that are otherwise needed for use by legitimate tasks. Because of this competition for computer resources, if the unwanted tasks are not identified and removed from host computer systems, the legitimate tasks will not perform as desired on the host computer systems.
- a computer system identifies processes in a running process list on a host computer system.
- the computer system identifies ports assigned to the processes in the running process list on the host computer system.
- the computer system identifies ports currently in use in the host computer system.
- the computer system determines whether any one of the ports that is currently in use in the host computer system is not assigned to any of the processes in the running process list in the host computer system.
- the computer system then makes a record that a hidden, running process is present as a characteristic of an attack in response to a determination that one of the ports is currently in use but not assigned to any of the processes in the running process list in the host computer system.
- FIG. 1 is a schematic block diagram illustrating one embodiment of a system for detecting presence of malicious use of computer resources by a task on a host computer system in accordance with an illustrative embodiment
- FIG. 2 is a host computer system having deployed thereon a local scanning tool for performing a local scan of the host computer system for detecting malicious use of computer resources by a task on a host computer system in accordance with an illustrative embodiment
- FIG. 3 is a computer system having deployed thereon a remote scanning tool for performing a remote scan of a remote computer system for detecting malicious use of computer resources by a task on a host computer system in accordance with an illustrative embodiment
- FIG. 4 depicts a computer system having deployed thereon a resource management tool for analyzing a use of computer resources by a task on a host computer system to detect if the use is malicious, in accordance with an illustrative embodiment
- FIG. 5 is a computer resource management environment for detecting malicious use of computer resources by a task on a host computer system in accordance with an illustrative embodiment
- FIG. 6 is a flowchart of a process performed by a host computer system for locally detecting presence of malicious use of computer resources by tasks on the host computer system in accordance with an illustrative embodiment
- FIG. 7 is a flowchart of a process performed by a remote scanning computer system for remotely detecting presence of malicious use of computer resources by tasks on a host computer system in accordance with an illustrative embodiment
- FIG. 8 depicts a flowchart of a process performed by a resource management computer system for detecting presence of malicious use of computer resources by tasks on a host computer system in accordance with an illustrative embodiment
- FIG. 9 is a flowchart of a process for identifying malware and in particular for detecting if a use of a set of computer resources by a group of tasks on a host computer system is a new use indicating an attack is present in the host computer system, in accordance with an illustrative embodiment
- FIG. 10 depicts a flowchart of a process for identifying malware and in particular for requesting a user to determine whether a new use of the set of computer resources by a group of tasks on a host computer system is an attack, in accordance with an illustrative embodiment
- FIG. 11 depicts a flowchart of a process for identifying malware and in particular for detecting if a new use of computer resources by a group of tasks on a host computer system corresponds with a change scheduled to occur at a particular time, in accordance with an illustrative embodiment
- FIG. 12 depicts a flowchart of a process for identifying malware and in particular for detecting if a port currently in use in a host computer system is assigned to a process, in accordance with an illustrative embodiment.
- the present invention may be embodied as a system, method, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.), or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module,” or “system.” Furthermore, the present invention may take the form of a computer program product embodied in any computer-readable storage device having computer-usable program code stored therein.
- the computer-readable storage device may be, for example, without limitation, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, device, More specific examples (a non-exhaustive list) of the computer-readable storage devices would include the following: a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a portable compact disc read-only memory (CDROM), an optical storage device, or a magnetic storage device.
- RAM random access memory
- ROM read-only memory
- EPROM or Flash memory erasable programmable read-only memory
- CDROM compact disc read-only memory
- optical storage device or a magnetic storage device.
- the computer-usable program code may be downloaded to a computer via a network comprising wireless, wire line, optical fiber cable, RF, routers, firewalls, gateway computers, etc.
- Computer program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object-oriented programming language, such as Java, Smalltalk, C++, or the like, and conventional procedural programming languages, such as the “C” programming language or similar programming languages.
- the program code may run entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer, or entirely on the remote computer or server.
- the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
- LAN local area network
- WAN wide area network
- Internet Service Provider for example, AT&T, MCI, Sprint, EarthLink, MSN, GTE, etc.
- These computer program instructions may be installed in a general purpose computer or other computing device with a processor and executed by the processor via a RAM to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
- These computer program instructions may also be stored in a computer-readable storage device that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable storage device produce an article of manufacture including instruction means, which implement the function/act specified in the flowchart and/or block diagram block or blocks.
- the computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which run on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
- a method and apparatus detects a presence of malicious tasks on a computer system or host system.
- a “task” as used herein, with reference to a use of computer resources means one or more instances of software running on a computer system.
- instances of software running on a computer system may be processes.
- each process may also have one or more child process of the parent process that is the instance of software running on the computer system.
- a task may be an instance of a computer program, an instance of a service program, code being executed for a device, such as device driver code, an operating system service, a script being executed in the computer system, interpreted code being executed in the computer system, virtualized software being executed in the computer system, and any other instance of software running on a computer system.
- code being executed for a device, such as device driver code, an operating system service, a script being executed in the computer system, interpreted code being executed in the computer system, virtualized software being executed in the computer system, and any other instance of software running on a computer system.
- each task running on host computer systems may use computer resources.
- a “task” as used herein, may be identified as malicious software and/or malware running on a host computer system.
- a “computer resource” as used herein, with reference to use by a task means one or more components in a computing environment for use by one or more tasks.
- Computer resources can be software, hardware, or a combination of the two.
- Computer resources may be tasks on computer systems.
- a use of a computer resource by a task may be affected by other tasks.
- two or more tasks may be using the same computer resource at the same time.
- a “set of computer resources in use by a task” as used herein may be a network service or network services.
- a “set” as used herein with reference to computer resources means one or more computer resources.
- a “set of computer resources” is one or more computer resources.
- a “set of computer resources in use by a task” as used herein may be a network service comprising one or more ports currently in use by the task communicating over a network.
- computer resource management environment 100 is an illustration of an environment in which a method and apparatus may be implemented for detecting presence of malicious use of computer resources by tasks on a host computer system in accordance with an illustrative embodiment. As shown in FIG. 1 , computer resource management environment 100 includes host computer system 102 that is remotely connected to network 120 .
- host computer system 102 has a local scanning tool installed thereon for conducting a local scan to interrogate host computer system 102 .
- the local scanning tool runs on host computer system 102 and determines local tasks currently on host computer system 102 . These tasks may be currently running on host computer system 102 .
- computer resource management environment 100 includes remote scanning computer system 104 that is also connected to network 120 and is remote to host computer system 102 .
- remote scanning computer system 104 includes a remote scanning tool for conducting a remote scan of host computer system 102 for enumerating a remote inventory of tasks currently running on host computer system 102 .
- computer resource management environment 100 includes resource management computer system 106 connected to network 120 , resource management computer system 106 having a resource management tool deployed thereon for correlating results received from the local scanning tool on host computer system 102 and the remote scanning tool on remote scanning computer system 104 .
- resource management computer system 106 collects results of the local scan conducted by the local scanning tool on host computer system 102 . Further, the resource management tool on resource management computer system 106 also collects results of the remote scan conducted by the remote scanning tool on remote scanning computer system 104 on host computer system 102 .
- the resource management tool deployed on resource management computer system 106 compares the local inventory of task results enumerated by the local scanning tool on host computer system 102 with the remote inventory of task results enumerated by the remote scanning tool on remote scanning computer system 104 .
- the comparison performed by the resource management tool identifies any discrepancies between the local inventory results obtained from host computer system 102 and the remote inventory results obtained from remote scanning computer system 104 . Any discrepancies found may indicate the presence of malicious tasks on host computer system 102 .
- resource management computer system 106 includes a reporting tool for generating discrepancy report 108 that identifies any discrepancies between the local scan performed by the local scanning tool on host computer system 102 and the remote scan performed by the remote scanning tool on remote scanning computer system 104 on host computer system 102 for identifying a presence of malicious use of computer resources by tasks on host computer system 102 .
- Host computer system 200 is an example of an implementation for host computer system 102 shown in FIG. 1 .
- Host computer system 200 may have deployed thereon a computer program product, namely, a local scanning tool for conducting a local scan of host computer system 200 for detecting malicious use of computer resources by a task on host computer system 200 .
- host computer system 200 is a computer system or server that includes central processing unit (CPU) 204 , local storage device 202 , user interface 206 , network interface 208 , and memory 210 .
- Central processing unit 204 may be configured generally to execute operations within host computer system 200 .
- User interface 206 in one embodiment, may be configured to allow a user to interact with host computer system 200 , including allowing input of commands and data for conducting a local scan of host computer system 200 .
- Network interface 208 may be configured, in one embodiment, to facilitate network communications of host computer system 200 over a communications channel of network 120 in FIG. 1 .
- memory 210 may be configured to store a group of tasks 212 .
- a “group of tasks” is one or more tasks.
- Group of tasks 212 may include tasks retrieved from running task list 213 of host computer system 200 .
- running task list 213 of host computer system 200 may comprise the list of tasks that are known to be running in host computer system 200 .
- the Microsoft WindowsTM operating system will provide a list of running tasks (also known as processes) by query to a “Task manager” function in the operating system.
- Group of tasks 212 may also include hidden tasks in host computer system 200 .
- a hidden task in host computer system 200 may be malware that is not in running task list 213 in host computer system 200 .
- group of tasks 212 may be one or more tasks communicating over a network using one or more ports, such as a ports 214 .
- group of tasks 212 may use ports 214 to communicate over of a set of network services.
- one or more ports in ports 214 may be a group of open ports.
- Open port as used herein, means a port can be used by group of tasks 212 .
- group of tasks 212 may be one or more tasks communicating over a network using the group of open ports in ports 214 .
- ports 214 may be assigned to tasks on running task list 213 on host computer system 200 .
- a task on running task list 213 may be assigned to use a particular port in ports 214 for communicating over a set of network services of host computer system 200 .
- List generation module 228 determines which ports are currently in use/open by enumerating the tasks having assignments to ports in running task list 213 on host computer system 200 .
- Monitoring module 236 determines which ports are currently used by the tasks in the task list by monitoring group of tasks 212 running on host computer system 200 .
- a port in ports 214 is reported by one computer system as open, and the same port in ports 214 is reported by another computer as closed, the difference will be identified by a resource management tool in resource management computer system 106 . Further, the difference will be used by the resource management tool as an indication of an attack by a task in group of tasks 212 using the port in ports 214 to communicate over the set of network services.
- an “attack” by a task or group of tasks means a malicious use of computer resources.
- resource management computer system 106 may identify a characteristic of an attack by a hidden task in group of tasks 212 based on a determination by resource management computer system 106 that an open port in ports 214 on host computer system 200 is in use by a hidden task in group of tasks 212 . More particularly, resource management computer system 106 may also identify an attack by a task in group of tasks 212 based on a determination by resource management computer system 106 that an open port in ports 214 on host computer system 200 is in use by a task in group of tasks 212 that is not assigned to the port in running task list 213 on host computer system 200 . This is one factor indicating an attack but is not typically determinative, on its own, of an actual attack. The determination may be made by comparing the ports assigned to tasks on running task list 213 in on host computer system 200 with ports that are in use in on host computer system 200 .
- local scanning tool 220 which runs on host computer system 200 , comprises a logic unit that contains a plurality of modules configured to functionally execute the necessary steps of performing a local scan of host computer system 200 for generating a local inventory of tasks on host computer system 200 .
- local scanning tool 220 running on host computer system 200 , includes initiation module 222 , tasks module 224 , network services module 226 , list generation module 228 , results log module 230 , forwarding module 232 , communication module 234 , and monitoring module 236 .
- initiation module 222 may be configured to initiate a local scan of host computer system 200 .
- Tasks module 224 may be configured to generate a list of the tasks on host computer system 200 .
- network services module 226 may be configured to generate a list of network services in use by tasks on host computer system 200 .
- a set of network services in use by tasks may include a list of ports in use by tasks communicating over network 120 .
- list generation module 228 may be configured to generate a list enumerating the tasks in running task list 213 on host computer system 200 , the network services in use by the tasks, and the networks services assigned to the tasks.
- Results log module 230 may be configured to generate a log of the results of the local scan conducted on host computer system 200 .
- local scan results log 231 generated by results log module 230 are stored in local storage device 202 within host computer system 200 .
- Forwarding module 232 may be configured to forward the results of the local scan performed on host computer system 200 . For example, forwarding module 232 may forward the results of the local scan for further evaluation.
- the results may be forwarded by forwarding module 232 to the resource management tool on resource management computer system 106 in FIG. 1 .
- Communication module 234 may be configured to permit communication between the various modules of local scanning tool 220 , memory 210 , and local storage device 202 ; and between the components of host computer system 200 and external computer systems connected to the host computer system 200 over network 120 .
- monitoring module 236 is a monitoring program and may be configured to monitor group of tasks 212 running on host computer system 200 . Further, monitoring module 236 monitors performance for group of tasks 212 . Still further, monitoring module 236 may monitor group of tasks 212 to identify performance information for use of a set of computer resources by group of tasks 212 . For example, performance information for the use of a set of computer resources by group of tasks 212 may include a value indicating how many times a port of a network service was used by group of tasks 212 , an amount of data sent over a port of a network service by group of tasks 212 , and any other performance information suitable for identifying a use of a set of computer resources by group of tasks 212 .
- the set of computer resources is a set of network services.
- Performance information identified by monitoring module 236 is added to the results of each local scan and likewise forwarded by forwarding module 232 .
- monitoring module 236 may aide in determining whether group of tasks 212 using a set of resources is an attack.
- a running process list may be generated in a similar fashion to running task list 213 .
- running task list 213 may be a running list of processes.
- Remote scanning computer system 300 is an example of an implementation for remote scanning computer system 104 shown in FIG. 1 .
- Remote scanning computer system 300 may have deployed thereon a computer program product, namely, remote scanning tool 320 for opening connections with host computer system 200 in FIG. 2 and for conducting a remote scan of host computer system 200 for detecting malicious use of computer resources by a task on host computer system 200 in accordance with an illustrative embodiment.
- Remote scanning tool 320 is run within remote scanning computer system 300 .
- remote scanning computer system 300 is a computer system or server that includes central processing unit (CPU) 304 , local storage device 302 , user interface 306 , network interface 308 , and memory 310 .
- Central processing unit 304 may be configured generally to perform operations within remote scanning computer system 300 .
- User interface 306 in one embodiment, may be configured to allow a user to interact with remote scanning computer system 300 , including allowing input of commands and data for conducting a remote scan of host computer system 200 from remote scanning computer system 300 .
- Network interface 308 may be configured, in one embodiment, to facilitate network communications of remote scanning computer system 300 over a communications channel of network 120 in FIG. 1 .
- memory 310 may be configured to store group of tasks 312 .
- remote scanning tool 320 runs on remote scanning computer system 300 and comprises a logic unit that contains a plurality of modules configured to functionally perform the steps for a remote scan of host computer system 200 for enumerating a remote inventory of tasks on host computer system 200 .
- remote scanning tool 320 running on remote scanning computer system 300 includes initiation module 322 , tasks module 324 , network services module 326 , list generation module 328 , results log module 330 , forwarding module 332 , and communication module 334 .
- initiation module 322 may be configured to initiate a remote scan of all ports of host computer system 200 over network 120 using network interface 308 .
- Tasks module 324 may be configured to enumerate or list all tasks on host computer system 200 .
- network services module 326 may be configured to enumerate or list all network services in use by tasks on host computer system 200 .
- list generation module 328 may be configured to generate a list enumerating the tasks on host computer system 200 and the network services in use by the tasks.
- Results log module 330 may be configured to generate remote scan results log 314 as a log of the results of the remote scan conducted on host computer system 200 .
- remote scan results log 314 generated by results log module 330 is stored in local storage device 302 within remote scanning computer system 300 .
- Forwarding module 332 may be configured to forward the results of the remote scan performed on host computer system 200 to another computer system comprising a resource management tool for evaluating the remote scan results received from remote scanning computer system 300 .
- Communication module 334 may be configured to permit communication between the various modules of remote scanning tool 320 , memory 310 , and local storage device 302 ; and between the components of remote scanning computer system 200 and external computer systems connected to remote scanning computer system 300 over network 120 .
- Resource management computer system 400 is an example of an implementation for resource management computer system 106 shown in FIG. 1 .
- Resource management computer system 400 may have deployed thereon a computer program product, namely, resource management tool 420 for analyzing a use of computer resources by a task on host computer system 200 in FIG. 2 to detect if the use is malicious in accordance with an illustrative embodiment.
- resource management computer system 400 is a computer system or server that includes a central processing unit (CPU) 404 , local storage device 402 , user interface 406 , network interface 408 , and memory 410 .
- Central processing unit 404 may be configured generally to perform operations within resource management computer system 400 .
- User interface 406 in one embodiment, may be configured to allow a user to interact with resource management computer system 400 , including allowing input of commands and data for collecting and analyzing scan results from two or more computer systems or servers, such as host computer system 200 in FIG. 2 and remote scanning computer system 300 in FIG. 3 .
- Network interface 408 may be configured, in one embodiment, to facilitate network communications of resource management computer system 400 over communications channels of network 120 in FIG. 1 .
- memory 410 may be configured to store group of tasks 412 .
- resource management tool 420 runs on resource management computer system 400 and comprises a logic unit that contains a plurality of modules configured to functionally perform the necessary steps for an evaluation of the scanning results received from both host computer system 200 and remote scanning computer system 300 for detecting presence of any malicious tasks on host computer system 200 .
- resource management tool 420 running on resource management computer system 400 includes receiving module 422 , comparison module 424 , evaluation module 426 , flag module 428 , report generation module 430 , and communication module 432 .
- receiving module 422 may be configured to receive both local scan results from host computer system 200 that is suspected of having malicious tasks thereon and remote scan results from remote computer system 300 that conducts a remote scan of host computer system 200 over network 120 .
- Comparison module 424 may be configured to compare a list of tasks on host computer system 200 generated as a result of a local scan performed with a list of tasks on host computer system 200 generated as a result of a remote scan performed on host computer system 200 .
- comparison module 424 also compares a list of network services in use by tasks on host computer system 200 from a local scan on host computer system 200 with a set of network services in use by tasks on host computer system 200 from a remote scan of host computer system 200 by remote scanning computer system 300 .
- evaluation module 426 may be configured to evaluate the comparisons conducted by comparison module 424 in order to generate correlation results stored in correlation results log 414 in storage device 402 . These comparisons may be made to determine whether any discrepancies are found between the local scanning results and the remote scanning results.
- Flag module 428 may be configured to flag host computer system 200 as suspected of having malicious tasks thereon as a result of the evaluation conducted by evaluation module 426 .
- Report generation module 430 may be configured to generate a discrepancy report enumerating the discrepancies found between the local scan and the remote scan as evaluated by evaluation module 426 .
- communication module 432 may be configured to permit communication between the various modules of resource management tool 420 , memory 410 , local storage device 402 ; and between the components of resource management computer system 400 and external computer systems, such as, for example, host computer system 200 in FIG. 2 and remote scanning computer system 300 in FIG. 3 , which are connected to resource management computer system 400 over network 120 .
- policy 434 may be defined in resource management computer system 400 .
- Policy 434 is a set of rules.
- Policy 434 may be used by resource management tool 420 to process uses of computer resources by tasks collected by local and remote computer systems.
- Policy 434 may be used by resource management tool 420 for identifying malicious tasks in host computer system 200 to improve performance of the computer resources by tasks.
- policy 434 may be for requesting user identification regarding a task's use of computer resources, wherein the policy has a rule for determining if a challenge question is used, as well as a rule for determining duration of time for waiting for a user response.
- the challenge question may be a random question, such as asking the user to identify a word in a picture.
- a use of computer resources by a task in host computer system 200 may be flagged as valid or as invalid.
- a use of computer resources by a task in host computer system 200 may be flagged as valid when the use is validated by a user, when the use is expected, and/or when the use has been previously reported as valid
- a use of computer resources by a task in host computer system 200 may be flagged as invalid when the use is not validated by a user, when the use is not expected, and/or when the use has been previously reported as invalid.
- a description for the use of computer resources by a task is stored in local storage device 402 .
- the description for the use may include an identification of the task, an identification of host computer system 200 , a time when the use occurred, performance information for the use, and whether the use is valid or invalid.
- an identification of host computer system 200 may include a configuration for host computer system 200 .
- a configuration for host computer system 200 may include a version of an operating system installed on host computer system 200 , a group of tasks installed in host computer system 200 , and any other configuration information for host computer system 200 , as well as for computer resources used by tasks in host computer system 200 .
- storing the description for the use may include making a record of the description for the use in local storage device 402 .
- computer resource environment 502 within computer resource management environment 500 includes host computer system 504 that has deployed thereon a computer program product, namely, local scanning tool 514 , which implements an illustrative embodiment for performing a local scan of host computer system 504 .
- Host computer system 504 is an example of host computer system 102 in FIG. 1 .
- the computer program product comprises a computer-readable or computer-usable storage medium, which provides program code namely, local scanning tool 514 , for use by, or in connection with, a computer server or computer system or any instruction execution system.
- local scanning tool 514 is loaded into memory 512 of host computer system 504 from media 516 .
- Media 516 is a computer-readable storage medium such as, a magnetic tape or disk, optical media, DVD, memory stick, semiconductor memory, etc.
- Local scanning tool 514 may also be downloaded from a server via network adapter card 518 for installation on host computer system 504 .
- computer resource management environment 500 includes computer resource environment 502 , which represents any type of computer architecture that is maintained in a secure environment (i.e., for which access control is enforced). Further, computer resource environment 502 includes host computer system 504 that includes local scanning tool 514 . It should be understood, however, that although not shown, other hardware and software components (e.g., additional computer systems, routers, firewalls, etc.) could be included in computer resource environment 502 .
- host computer system 504 is connected via a network to computer resource environment 502 .
- Host computer system 504 includes local scanning tool 514 that is run on host computer system 504 for performing a local scan of the tasks and network services in use by the tasks on host computer system 504 .
- host computer system 504 can communicate with remote scanning computer system 530 , which is an example of remote scanning computer system 104 in FIG. 1 and resource management computer system 540 , which is an example of resource management computer system 106 in FIG. 1 over network 120 in FIG. 1 .
- remote scanning computer system 530 can interface with computer resource environment 502 in order to run a remote scan of host computer system 504 using remote scanning tool 534 that is loaded into the memory 533 of remote scanning computer system 530 from media 532 .
- Media 532 is a computer-readable storage medium, such as a magnetic tape or disk, optical media, DVD, memory stick, semiconductor memory, etc.
- Remote scanning tool 534 may also be downloaded from a server via network adapter card 554 for installation on remote scanning computer system 530 .
- resource management computer system 540 communicates with computer resource environment 502 over network 120 to retrieve results of the local scan performed by host computer system 504 . Further, resource management computer system 540 communicates with remote scanning computer system 530 to retrieve results of the remote scan of host computer system 504 performed by remote scanning computer system 530 .
- resource management tool 544 is loaded into memory 543 of resource management computer system 540 from media 542 .
- Media 542 is a computer-readable storage medium such as, a magnetic tape or disk, optical media, DVD, memory stick, semiconductor memory, etc.
- Resource management tool 544 may also be downloaded from a server via network adapter card 556 for installation on resource management computer system 540 .
- resource management computer system 540 receives results of the local scan conducted by host computer system 504 and the results of the remote scan conducted by remote scanning computer system 530 of host computer system 504 .
- Resource management computer system 540 also compares the local scan results with the remote scan results to determine whether host computer system 504 has a malicious task.
- computer resource environment 502 may be owned and/or operated by a party such as provider 526 , or by an independent entity. Regardless, use of computer resource environment 502 and the teachings described herein could be offered to the parties on a subscription or fee-basis.
- Host computer system 504 is shown to include central processing unit (CPU) 506 , memory 512 , bus 510 , and input/output (I/O) interfaces 508 . Further, host computer system 504 is shown communicating with external devices 520 and storage system 522 .
- central processing unit 506 executes computer program code stored in memory 512 , such as local scanning tool 514 , to determine the tasks currently on host computer system 504 and the network services currently in use by the tasks.
- External devices 520 may be resources.
- local scanning results 524 produced by the execution of local scanning tool 514 is stored in storage system 522 .
- remote scanning computer system 530 and resource management computer system 540 each include a central processing unit, a memory, a bus, and input/output (I/O) interfaces, similar to host computer system 504 . Further, remote scanning computer system 530 communicates with external devices (not shown) and storage system 536 , whereas, resource management computer system 540 communicates with I/O devices and resources (not shown) and storage system 546 .
- central processing unit 506 executes computer program code stored in memory 512 , such as local scanning tool 514 , to determine the tasks currently on host computer system 504 and the network services in use by the tasks
- the central processing unit of remote scanning computer system 530 executes computer program code stored in memory 533 , such as remote scanning tool 534 , to determine the tasks on host computer system 504 and the network services in use by the tasks
- the central processing unit of resource management computer system 540 executes computer program code stored in memory 543 , such as resource management tool 544 , to determine any discrepancies between the local scan and the remote scan of host computer system 504 .
- local scanning results 524 produced by the execution of local scanning tool 514 running on host computer system 504 is stored in storage system 522
- remote scanning results 538 produced by the execution of remote scanning tool 534 is stored in storage system 536 of remote scanning computer system 530
- correlation results 548 performed by the execution of resource management tool 544 on resource management computer system 540 is stored in storage system 546 of resource management computer system 540 .
- central processing unit 506 While executing local scanning tool 514 on host computer system 504 , central processing unit 506 reads and writes data, such as local scanning results 524 in storage system 522 , to and from memory 512 . Central processing unit 506 reads and writes data to and from storage system 522 using I/O interfaces 508 . Alternatively, local scanning tool 514 may store local scanning results 524 in memory 512 .
- Bus 510 provides a communication link between each of the components in computer resource management environment 500 , such that information can be communicated within computer resource environment 502 .
- External devices 520 can comprise any devices (e.g., keyboard, pointing device, display, etc.) that enable a user to interact with computer resource management environment 500 and any devices (e.g., network card, modem, etc.) that enable host computer system 504 to communicate with one or more other computing devices, such as, remote scanning computer system 530 and resource management computer system 540 .
- the central processing unit while executing the remote scanning tool 534 on remote scanning computer system 530 , the central processing unit reads and writes data to and from memory 533 and storage system 536 , such as remote scanning results 538 in storage system 536 .
- remote scanning tool 534 may store remote scanning results 538 in memory 533 .
- the central processing unit can read and write data, to and from memory 543 and storage system 546 , such as correlation results 548 in storage system 546 .
- resource management tool 544 may store correlation results 548 in memory 543 .
- Computer resource environment 502 is only an illustrative example of many various types of computer environments for implementing an illustrative embodiment.
- computer resource environment 502 may comprise two or more server groups or clusters that communicate over a network to perform the various process steps of an illustrative embodiment.
- computer resource management environment 500 is only one representative example of many various possible environments that can include numerous combinations of hardware and software.
- computer resource management environment 500 can comprise any specific purpose computing-article of manufacture-comprising hardware and computer-program code for performing specific functions, any computing-article of manufacture that comprises a combination of specific purpose and general purpose hardware/software, or the like.
- central processing unit 506 may comprise a single central processing unit, or be distributed across one or more processing units in one or more locations, such as, for example, on a client and server.
- memory 512 and storage system 522 can comprise any combination of various types of data storage and/or transmission media that reside at one or more physical locations.
- I/O interfaces 508 can comprise any system for exchanging information with external devices 520 .
- one or more additional components e.g., system software, math co-processing unit, etc.
- Storage systems 522 , 536 , and 546 can be any type of storage system (e.g., a database) capable of providing storage for information in an illustrative embodiment.
- storage systems 522 , 536 , and 546 could include one or more storage devices, such as a magnetic disk drive and an optical disk drive.
- storage systems 522 , 536 , and 546 include data distributed across, for example, a local area network (LAN), wide area network (WAN), and a storage area network (SAN) (not shown).
- LAN local area network
- WAN wide area network
- SAN storage area network
- additional components such as cache memory, communication systems, system software, etc., may be incorporated into computer resource management environment 500 .
- FIG. 6 a flowchart of a process implemented by local scanning tool 220 in host computer system 200 in FIG. 2 for locally detecting presence of malicious use of computer resources by tasks on host computer system 200 which is depicted in accordance with an illustrative embodiment.
- the process begins by running local scanning tool 220 locally on “suspicious” host computer system 200 suspected of having a malicious task thereon in order to obtain a list of tasks on host computer system 200 and a list of network services in use by the tasks (step 602 ).
- local scanning tool 220 enumerates a group of tasks on “suspicious” host computer system 200 and a set of respective network services in use by the group of tasks (step 604 ).
- the group of tasks on host computer system 200 and the set of network services in use by the tasks is sent to another computer system on the network, namely, resource management computer system 400 running resource management tool 420 in FIG. 4 for comparison and evaluation of local scanning tool 220 results (step 606 ) with the process terminating thereafter.
- FIG. 7 a flowchart of a process for detecting presence of malicious use of computer resources by tasks on host computer system 200 which is depicted in accordance with an illustrative embodiment.
- the process illustrated may be implemented in remote scanning tool 320 in remote scanning computer system 300 in FIG. 3 that is remote to host computer system 200 in FIG. 2 .
- the process begins by running remote scanning tool 320 on remote scanning computer system 300 for remotely connecting to host computer system 200 over a network and to obtain a list of ports on the “suspicious” host computer system and a status for each port (step 702 ).
- the status for each port may include whether the port is open and/or active in host computer system 200 .
- the process connects remote scanning tool 320 to host computer system 200 to enumerate and list currently running tasks and their respective ports in use in host computer system 200 (step 704 ). These ports and tasks are visible over the network.
- remote scanning computer system 300 attempts to connect to each open port on host computer system 200 and perform an interrogation of the tasks running on host computer system 200 to determine whether the tasks are known, common tasks, or both.
- remote scanning computer system 300 a list of open, closed and filtered ports is obtained by remote scanning computer system 300 . Further, the remote scan results listing the enumerated ports and tasks visible over the network are sent to running resource management tool 420 in resource management computer system 400 in FIG. 4 for comparison and evaluation of the scanning results (step 706 ) with the process terminating thereafter.
- FIG. 8 a flowchart of a process implemented in resource management tool 420 in resource management computer system 400 in FIG. 4 for detecting presence of malicious tasks running on the host computer system is depicted in accordance with an illustrative embodiment.
- Resource management tool 420 receives local scanning results from host computer system 200 in FIG. 2 (step 802 ). Resource management tool 420 receives remote scanning results from remote scanning computer system 300 in FIG. 3 (step 804 ). Resource management computer system 400 running resource management tool 420 compares the local lists, corresponding to the local scan, and the remote lists, corresponding to the remote scan, of tasks running on host computer system 200 and network services in use by the tasks for any discrepancies (step 806 ). Any discrepancies found represent hidden tasks and hidden uses of network services and are indicative of unwanted software or malware.
- Resource management tool 420 determines whether a discrepancy is present between the local scan and the remote scan (step 810 ). If resource management tool 420 determines that no discrepancy is present between the local scan and the remote scan, the process indicates that no suspicious network discrepancies are found (step 812 ) with the process terminating thereafter. With reference again to step 810 , if resource management tool 420 determines that one or more discrepancies have been found between the local scan and the remote scan, then resource management tool 420 documents and logs the discrepancies (step 814 ). For example, if suspicious network discrepancies between the local scan list and the remote scan list are found, they will be logged.
- suspicious network discrepancies may include a use of one or more ports by a group of tasks that is in the remote scan list, but which is not in the local scan list.
- the absence of the use in the local scan list indicates that the use identified in the remote scan list is associated with a malicious group of tasks running on host computer system 200 .
- resource management tool 420 flags or identifies the “suspicious” host computer system as possibly infected (step 816 ). Further tests are run on the flagged host computer system 200 and the flagged host computer system 200 is monitored to evaluate the nature of the discrepancy found and the malicious task currently installed on the host computer system 200 (step 818 ), ending the process.
- host computer system 200 has deployed thereon one or more test programs for testing and/or evaluating any discrepancies found by resource management tool 420 . It will be understood by one skilled in the art that the testing and evaluation of host computer system 200 can be manually implemented, as necessary, by an administrator.
- FIG. 9 a flowchart of a process for identifying malware, and in particular, for detecting if a use of a set of computer resources by a group of tasks on host computer system 200 in FIG. 2 is a new use indicating an attack is present in host computer system 200 , is depicted in accordance with an illustrative embodiment.
- the steps in FIG. 9 may be implemented in computer resource management environment 100 in FIG. 1 .
- the steps may be implemented in software, hardware, or a combination of the two in resource management computer system 400 in FIG. 4 .
- the steps may be implemented by resource management tool 420 in resource management computer system 400 .
- the process begins by retrieving information about a first use of a set of computer resources by a group of tasks running in host computer system 200 having a first configuration (step 902 ).
- information about a use of the set of computer resources by a group of tasks running on host computer system 200 may be retrieved from correlation results log 414 in FIG. 4 .
- information about a use of the set of computer resources by a group of tasks running on host computer system 200 retrieved from correlation results log 414 may include a discrepancy found between local scanning results and remote scanning results, as described herein.
- the process then identifies a second use of a corresponding set of computer resources by a corresponding group of tasks running on a set of host computer systems having a second configuration that matches the first configuration for host computer system 200 (step 904 ).
- a “match” with reference to configurations for host computer systems means 100% of the configuration of the host computers are the same.
- match may also mean “close enough”, such as 95%, 80% or some other percentage suitable for identifying that two host computer systems are similar host computer systems.
- the process determines whether a difference in resource use is present between the first use of the set of computer resources and the second use of the corresponding set of computer resources in the set of host computer systems (step 906 ). As depicted (step 908 ), if the difference in resource use is not present the process identifies that the first use “matches” the second use, wherein “matching” the use means if the second use is an attack, the first use is also an attack (step 910 ), with the process terminating thereafter.
- the process identifies a history of prior uses for the corresponding set of computer resources in the set of host computer systems (step 912 ).
- the history of prior uses for the corresponding set of computer resources in the set of host computer systems may be retrieved from local storage device 402 in FIG. 4 having stored therein an identification of a group of tasks, an indication of a set of computer resources, an identification of a host computer system, and whether the use is an attack for each use.
- the process determines whether the difference in resource use is new based on the history of prior uses for the corresponding set of computer resources (step 914 ). Next, a determination is made as to whether the difference in resource use is new (step 916 ). If the difference in resource use is new, the process identifies that the first use of the set of computer resources may indicate that an attack is present in host computer system 200 (step 918 ), with the process terminating thereafter. Otherwise, if the difference in resource use is not new, the process identifies that the difference in resource use is not new, wherein not new means if the difference is known to be an attack, the first use is also an attack (step 920 ), with the process terminating thereafter.
- FIG. 10 a flowchart of a process for identifying malware, and in particular, for requesting a user to determine whether a new use of a set of computer resources by a group of tasks on host computer system 200 in FIG. 2 is an attack, is depicted in accordance with an illustrative embodiment.
- the steps in FIG. 10 may be implemented in computer resource management environment 100 in FIG. 1 .
- the steps may be implemented in software, hardware, or a combination of the two in resource management computer system 400 in FIG. 4 .
- the steps may be implemented by resource management tool 420 in resource management computer system 400 .
- the process begins by retrieving a new use of a set of computer resources by a group of tasks running in host computer system 200 (step 1002 ).
- the process then retrieves policy 434 in FIG. 4 (step 1004 ).
- policy 434 is used by the process for requesting user identification regarding a group of tasks' use of a set of computer resources.
- policy 434 has a rule for determining if a challenge question is used and a rule for determining duration of time for waiting for a user response.
- the process sends a request to a user of host computer system 200 to determine whether the group of tasks' new use is an attack, wherein the request also includes a challenge question based on the policy (step 1006 ).
- a rule in policy 434 indicates a challenge question must be used when requesting a user to identify if a group of tasks' use is an attack.
- a rule in policy 434 may select a particular type of challenge question to be used. For example, a rule in policy 434 may select a particular type of challenge question for a particular use of computer resources, for a particular group of tasks, for a particular set of computer resources, and for a particular host computer system.
- step 1008 if the user did not respond to the request within the duration of time according to the policy the process identifies the new use of the set of computer resources by the group of tasks running in host computer system 200 as a possible attack based on not receiving a user response within the duration of time (step 1010 ), with the process terminating thereafter. Otherwise, if the user did respond to the request within the duration of time according to the policy, the process continues to step 1012 .
- the process determines whether the user responded to the challenge question correctly (step 1012 ). If the user responded to the challenge question correctly the process identifies the new use of the set of computer resources by the group of tasks running in host computer system 200 as a possible attack based on not receiving a correct user response to the challenge question (step 1014 ), with the process terminating thereafter. Otherwise, if the user did respond to the challenge question correctly, the process stores the user's response as an indication of whether the new use by the group of tasks is an attack in host computer system 200 (step 1016 ), with the process terminating thereafter.
- FIG. 11 a flowchart of a process for identifying malware, and in particular, for detecting if a new use of a set of computer resources by a group of tasks on host computer system 200 in FIG. 2 corresponds with a change scheduled to occur at a particular time, is depicted in accordance with an illustrative embodiment.
- the steps in FIG. 11 may be implemented in computer resource management environment 100 in FIG. 1 .
- the steps may be implemented in software, hardware, or a combination of the two in resource management computer system 400 in FIG. 4 .
- the steps may be implemented by resource management tool 420 in resource management computer system 400 .
- the process begins by retrieving a new use of a set of computer resources by a group of tasks running in host computer system 200 (step 1102 ). The process then identifies a time when the new use occurred (step 1104 ).
- a new use of a set of computer resources by a group of tasks running on host computer 200 and a time for the new use may be retrieved from correlation results log 414 in FIG. 4 .
- information about a new use of the set of computer resources by a group of tasks running on host computer 200 retrieved from correlation results log 414 may include a discrepancy found between local scanning results and remote scanning results, as described herein.
- the process identifies a set of changes having a scheduled time for each change, wherein the set of changes are for the group of tasks running on host computer system 200 and for the set of computer resources in use by the group of tasks running on host computer system 200 (step 1106 ).
- a “set” as used herein with reference to changes means one or more changes.
- “set of changes” is one or more changes.
- Set of changes can be changes to software, hardware, or a combination of the two.
- set of changes may be updates to programs on host computer system 200 or on another computer system in network 120 in FIG. 1 .
- the process determines whether the time when the new use occurred corresponds to the scheduled time for at least one of the changes in the set of changes (step 1108 ). A determination is made as to whether the time when the new use occurred correspond to the scheduled time for at least one of the changes in the set of changes (step 1110 ). If the time when the new use occurred does not correspond to a scheduled time for at least one of the changes in the set of changes the process identifies the new use of the set of computer resources by the group of tasks running in host computer system 200 as a possible attack (step 1112 ), with the process terminating thereafter.
- the process identifies that the new use of the set of computer resources by the group of tasks running in host computer system 200 may not be an attack because it corresponds to the scheduled time (step 1114 ), with the process terminating thereafter.
- FIG. 12 a flowchart of a process for identifying malware and, in particular, for detecting if a port currently in use in host computer system 200 is assigned to a process in host computer system 200 in FIG. 2 , in accordance with an illustrative embodiment.
- the steps in FIG. 12 may be implemented in computer resource management environment 100 in FIG. 1 .
- the steps may be implemented in software, hardware, or a combination of the two in resource management computer system 400 in FIG. 4 .
- the steps may be implemented by resource management tool 420 in resource management computer system 400 .
- the process begins by identifying processes in a running process list on host computer system 200 (step 1202 ).
- a running process list may be running task list 213 in FIG. 2 .
- the process identifies ports assigned to the processes in the running process list on host computer system 200 (step 1204 ).
- the process then identifies ports in use in host computer system 200 (step 1206 ).
- information about a use of the ports by processes running on host computer system 200 may be retrieved from correlation results log 414 in FIG. 4 .
- information about a use of ports by processes running on host computer system 200 retrieved from correlation results log 414 may include a discrepancy found between local scanning results and remote scanning results, as described herein.
- the process determines whether a port is in use in host computer system 200 that is unassigned to the processes in the running process list in host computer system 200 (step 1208 ). A determination is made as to whether any one of the ports that is currently in use in the host computer system is not assigned to any of the processes in the running process list in host computer system 200 (step 1210 ). If each of the ports that is currently in use is assigned to any of the processes in the running process list in host computer system 200 , the process makes a record that the attack is absent in host computer system 200 (step 1212 ), with the process terminating thereafter.
- step 1214 the process makes a record that a hidden, running process is present as a characteristic of an attack in host computer system 200 (step 1214 ), with the process terminating thereafter.
- step 1214 additional investigation may be made to determine whether a false positive has occurred in identifying an attack as being present. The additional investigation may be made using steps such as those illustrated in FIGS. 9-11 .
- the one or more illustrative embodiments provide a system, method and a program product for detecting the presence of malicious tasks running on a computer system or host computer system, in accordance with an embodiment of the invention.
- the illustrative embodiments may interrogate the host computer system both locally and remotely. Local interrogation could be conducted through a locally installed agent (user or administrator-level access), or through standard network service interrogation techniques that typically require administrative-level access. Remote service interrogation of the host computer system can be conducted with standard port scanning and vulnerability scanning technologies.
- the device labeled “suspicious host” may or may not originally be “suspicious” and the interrogation of the host may be a routine/scheduled event for preemptive detection of malicious tasks and unwanted tasks installed on host computer systems.
- Local host enumeration of network services could be achieved through the use of default operating system query tools, or custom tools.
- the remote scanning tool may use standard remote port scanning techniques to identify open ports and enumerate the tasks behind them.
- the resource management tool could be a stand-alone device, part of a resource management toolset, or part of an additional software suite whose purpose is to act upon any discrepancies identified between “local scanning results” and “remote scanning results.”
- each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s).
- the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be performed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.
Abstract
Description
- This application is a continuation of application Ser. No. 12/261,026, filed Oct. 29, 2008, status pending.
- 1. Field:
- The present disclosure relates to computer systems and software, and more specifically, to managing computer resources. Still more specifically, the present disclosure relates to a method and system for detecting malicious use of computer resources by a task running on a computer system.
- 2. Description of the Related Art:
- Unwanted tasks frequently use complex techniques to hide from users of the host computer system. Various technologies have been proposed to detect “rootkits” and other stealth install techniques. These existing techniques require the querying of the host computer system through local means in a powered and unpowered state. These existing techniques, in particular, the process of assessing a host computer system in an unpowered state, is highly disruptive and time-consuming. As such, a need is present for administrators to effectively identify the presence of such installations without powering down the host computer system.
- Unwanted software and malware run as tasks on the host computer systems. These unwanted tasks use computer resources that are otherwise needed for use by legitimate tasks. Because of this competition for computer resources, if the unwanted tasks are not identified and removed from host computer systems, the legitimate tasks will not perform as desired on the host computer systems.
- Therefore, it would be advantageous to have a method, system, and computer program product that takes into account at least some of the issues discussed above, as well as possibly other issues.
- According to one illustrative embodiment, a method, apparatus, and computer program product for identifying malware is provided. A computer system identifies processes in a running process list on a host computer system. The computer system identifies ports assigned to the processes in the running process list on the host computer system. The computer system identifies ports currently in use in the host computer system. The computer system determines whether any one of the ports that is currently in use in the host computer system is not assigned to any of the processes in the running process list in the host computer system. The computer system then makes a record that a hidden, running process is present as a characteristic of an attack in response to a determination that one of the ports is currently in use but not assigned to any of the processes in the running process list in the host computer system.
-
FIG. 1 is a schematic block diagram illustrating one embodiment of a system for detecting presence of malicious use of computer resources by a task on a host computer system in accordance with an illustrative embodiment; -
FIG. 2 is a host computer system having deployed thereon a local scanning tool for performing a local scan of the host computer system for detecting malicious use of computer resources by a task on a host computer system in accordance with an illustrative embodiment; -
FIG. 3 is a computer system having deployed thereon a remote scanning tool for performing a remote scan of a remote computer system for detecting malicious use of computer resources by a task on a host computer system in accordance with an illustrative embodiment; -
FIG. 4 depicts a computer system having deployed thereon a resource management tool for analyzing a use of computer resources by a task on a host computer system to detect if the use is malicious, in accordance with an illustrative embodiment; -
FIG. 5 is a computer resource management environment for detecting malicious use of computer resources by a task on a host computer system in accordance with an illustrative embodiment; -
FIG. 6 is a flowchart of a process performed by a host computer system for locally detecting presence of malicious use of computer resources by tasks on the host computer system in accordance with an illustrative embodiment; -
FIG. 7 is a flowchart of a process performed by a remote scanning computer system for remotely detecting presence of malicious use of computer resources by tasks on a host computer system in accordance with an illustrative embodiment; -
FIG. 8 depicts a flowchart of a process performed by a resource management computer system for detecting presence of malicious use of computer resources by tasks on a host computer system in accordance with an illustrative embodiment; -
FIG. 9 is a flowchart of a process for identifying malware and in particular for detecting if a use of a set of computer resources by a group of tasks on a host computer system is a new use indicating an attack is present in the host computer system, in accordance with an illustrative embodiment; -
FIG. 10 depicts a flowchart of a process for identifying malware and in particular for requesting a user to determine whether a new use of the set of computer resources by a group of tasks on a host computer system is an attack, in accordance with an illustrative embodiment; -
FIG. 11 depicts a flowchart of a process for identifying malware and in particular for detecting if a new use of computer resources by a group of tasks on a host computer system corresponds with a change scheduled to occur at a particular time, in accordance with an illustrative embodiment; and -
FIG. 12 depicts a flowchart of a process for identifying malware and in particular for detecting if a port currently in use in a host computer system is assigned to a process, in accordance with an illustrative embodiment. - As will be appreciated by one skilled in the art, the present invention may be embodied as a system, method, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.), or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module,” or “system.” Furthermore, the present invention may take the form of a computer program product embodied in any computer-readable storage device having computer-usable program code stored therein. The computer-readable storage device may be, for example, without limitation, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, device, More specific examples (a non-exhaustive list) of the computer-readable storage devices would include the following: a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a portable compact disc read-only memory (CDROM), an optical storage device, or a magnetic storage device.
- The computer-usable program code may be downloaded to a computer via a network comprising wireless, wire line, optical fiber cable, RF, routers, firewalls, gateway computers, etc.
- Computer program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object-oriented programming language, such as Java, Smalltalk, C++, or the like, and conventional procedural programming languages, such as the “C” programming language or similar programming languages. The program code may run entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer, or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
- The present invention is described below with reference to flowcharts and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowcharts and/or block diagrams, and combinations of blocks in the flowcharts and/or block diagrams, can be implemented by computer program instructions.
- These computer program instructions may be installed in a general purpose computer or other computing device with a processor and executed by the processor via a RAM to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer program instructions may also be stored in a computer-readable storage device that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable storage device produce an article of manufacture including instruction means, which implement the function/act specified in the flowchart and/or block diagram block or blocks.
- The computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which run on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
- In one illustrative embodiment, a method and apparatus detects a presence of malicious tasks on a computer system or host system. A “task” as used herein, with reference to a use of computer resources, means one or more instances of software running on a computer system. For example, instances of software running on a computer system may be processes. In this example, each process may also have one or more child process of the parent process that is the instance of software running on the computer system. For example, a task may be an instance of a computer program, an instance of a service program, code being executed for a device, such as device driver code, an operating system service, a script being executed in the computer system, interpreted code being executed in the computer system, virtualized software being executed in the computer system, and any other instance of software running on a computer system. Particularly, each task running on host computer systems may use computer resources. Still more particularly, a “task” as used herein, may be identified as malicious software and/or malware running on a host computer system.
- A “computer resource” as used herein, with reference to use by a task, means one or more components in a computing environment for use by one or more tasks. Computer resources can be software, hardware, or a combination of the two. For example, computer resources may be tasks on computer systems. A use of a computer resource by a task may be affected by other tasks. For example, two or more tasks may be using the same computer resource at the same time. Specifically, a “set of computer resources in use by a task” as used herein, may be a network service or network services. A “set” as used herein with reference to computer resources, means one or more computer resources. For example a “set of computer resources” is one or more computer resources. Still more particularly, a “set of computer resources in use by a task” as used herein, may be a network service comprising one or more ports currently in use by the task communicating over a network.
- With reference to the figures and, in particular, with reference to
FIG. 1 , computerresource management environment 100 is an illustration of an environment in which a method and apparatus may be implemented for detecting presence of malicious use of computer resources by tasks on a host computer system in accordance with an illustrative embodiment. As shown inFIG. 1 , computerresource management environment 100 includeshost computer system 102 that is remotely connected tonetwork 120. - In an illustrative example,
host computer system 102 has a local scanning tool installed thereon for conducting a local scan to interrogatehost computer system 102. The local scanning tool runs onhost computer system 102 and determines local tasks currently onhost computer system 102. These tasks may be currently running onhost computer system 102. - Further, computer
resource management environment 100 includes remotescanning computer system 104 that is also connected to network 120 and is remote tohost computer system 102. In an illustrative embodiment, remotescanning computer system 104 includes a remote scanning tool for conducting a remote scan ofhost computer system 102 for enumerating a remote inventory of tasks currently running onhost computer system 102. - Additionally, computer
resource management environment 100 includes resourcemanagement computer system 106 connected to network 120, resourcemanagement computer system 106 having a resource management tool deployed thereon for correlating results received from the local scanning tool onhost computer system 102 and the remote scanning tool on remotescanning computer system 104. In an illustrative embodiment, resourcemanagement computer system 106 collects results of the local scan conducted by the local scanning tool onhost computer system 102. Further, the resource management tool on resourcemanagement computer system 106 also collects results of the remote scan conducted by the remote scanning tool on remotescanning computer system 104 onhost computer system 102. - Furthermore, the resource management tool deployed on resource
management computer system 106 compares the local inventory of task results enumerated by the local scanning tool onhost computer system 102 with the remote inventory of task results enumerated by the remote scanning tool on remotescanning computer system 104. The comparison performed by the resource management tool identifies any discrepancies between the local inventory results obtained fromhost computer system 102 and the remote inventory results obtained from remotescanning computer system 104. Any discrepancies found may indicate the presence of malicious tasks onhost computer system 102. - Further, in an illustrative example, resource
management computer system 106 includes a reporting tool for generatingdiscrepancy report 108 that identifies any discrepancies between the local scan performed by the local scanning tool onhost computer system 102 and the remote scan performed by the remote scanning tool on remotescanning computer system 104 onhost computer system 102 for identifying a presence of malicious use of computer resources by tasks onhost computer system 102. - Turning next to
FIG. 2 , an illustration of a host computer system is depicted in accordance with an illustrative embodiment.Host computer system 200 is an example of an implementation forhost computer system 102 shown inFIG. 1 .Host computer system 200 may have deployed thereon a computer program product, namely, a local scanning tool for conducting a local scan ofhost computer system 200 for detecting malicious use of computer resources by a task onhost computer system 200. - As depicted,
host computer system 200 is a computer system or server that includes central processing unit (CPU) 204,local storage device 202,user interface 206,network interface 208, andmemory 210.Central processing unit 204 may be configured generally to execute operations withinhost computer system 200.User interface 206, in one embodiment, may be configured to allow a user to interact withhost computer system 200, including allowing input of commands and data for conducting a local scan ofhost computer system 200.Network interface 208 may be configured, in one embodiment, to facilitate network communications ofhost computer system 200 over a communications channel ofnetwork 120 inFIG. 1 . - In an illustrative example,
memory 210 may be configured to store a group oftasks 212. A “group” as used herein with reference to tasks, means one or more tasks. For example, a “group of tasks” is one or more tasks. Group oftasks 212 may include tasks retrieved from runningtask list 213 ofhost computer system 200. For example, runningtask list 213 ofhost computer system 200 may comprise the list of tasks that are known to be running inhost computer system 200. For example, the Microsoft Windows™ operating system will provide a list of running tasks (also known as processes) by query to a “Task manager” function in the operating system. Some malicious processes are able to hide from the task manager by installing themselves as a service as opposed to as an application in the task manager, by modifying the task manager to not show themselves, and by only temporarily running in the task manager. For example, a malicious task may hide from the task manager by quitting, which has the effect of removing itself from the task manager. Group oftasks 212 may also include hidden tasks inhost computer system 200. For example, a hidden task inhost computer system 200 may be malware that is not in runningtask list 213 inhost computer system 200. Still more particularly, “group oftasks 212” may be one or more tasks communicating over a network using one or more ports, such as aports 214. In these illustrative examples, group oftasks 212 may useports 214 to communicate over of a set of network services. In these illustrative examples, one or more ports inports 214 may be a group of open ports. “Open port” as used herein, means a port can be used by group oftasks 212. For example, “group oftasks 212” may be one or more tasks communicating over a network using the group of open ports inports 214. In these illustrative examples,ports 214 may be assigned to tasks on runningtask list 213 onhost computer system 200. For example, a task on runningtask list 213 may be assigned to use a particular port inports 214 for communicating over a set of network services ofhost computer system 200.List generation module 228 determines which ports are currently in use/open by enumerating the tasks having assignments to ports in runningtask list 213 onhost computer system 200.Monitoring module 236 determines which ports are currently used by the tasks in the task list by monitoring group oftasks 212 running onhost computer system 200. - In these illustrative examples, if a port in
ports 214 is reported by one computer system as open, and the same port inports 214 is reported by another computer as closed, the difference will be identified by a resource management tool in resourcemanagement computer system 106. Further, the difference will be used by the resource management tool as an indication of an attack by a task in group oftasks 212 using the port inports 214 to communicate over the set of network services. As used herein, an “attack” by a task or group of tasks, means a malicious use of computer resources. - In these illustrative examples, resource
management computer system 106 may identify a characteristic of an attack by a hidden task in group oftasks 212 based on a determination by resourcemanagement computer system 106 that an open port inports 214 onhost computer system 200 is in use by a hidden task in group oftasks 212. More particularly, resourcemanagement computer system 106 may also identify an attack by a task in group oftasks 212 based on a determination by resourcemanagement computer system 106 that an open port inports 214 onhost computer system 200 is in use by a task in group oftasks 212 that is not assigned to the port in runningtask list 213 onhost computer system 200. This is one factor indicating an attack but is not typically determinative, on its own, of an actual attack. The determination may be made by comparing the ports assigned to tasks on runningtask list 213 in onhost computer system 200 with ports that are in use in onhost computer system 200. - In this illustrative example,
local scanning tool 220, which runs onhost computer system 200, comprises a logic unit that contains a plurality of modules configured to functionally execute the necessary steps of performing a local scan ofhost computer system 200 for generating a local inventory of tasks onhost computer system 200. In this illustrative example,local scanning tool 220, running onhost computer system 200, includesinitiation module 222,tasks module 224,network services module 226,list generation module 228, results logmodule 230, forwardingmodule 232,communication module 234, andmonitoring module 236. In an embodiment,initiation module 222 may be configured to initiate a local scan ofhost computer system 200.Tasks module 224 may be configured to generate a list of the tasks onhost computer system 200. Further,network services module 226 may be configured to generate a list of network services in use by tasks onhost computer system 200. In one illustrative embodiment, a set of network services in use by tasks may include a list of ports in use by tasks communicating overnetwork 120. - In an illustrative example,
list generation module 228 may be configured to generate a list enumerating the tasks in runningtask list 213 onhost computer system 200, the network services in use by the tasks, and the networks services assigned to the tasks.Results log module 230 may be configured to generate a log of the results of the local scan conducted onhost computer system 200. In an embodiment, local scan results log 231 generated by results logmodule 230 are stored inlocal storage device 202 withinhost computer system 200.Forwarding module 232 may be configured to forward the results of the local scan performed onhost computer system 200. For example, forwardingmodule 232 may forward the results of the local scan for further evaluation. Particularly, the results may be forwarded by forwardingmodule 232 to the resource management tool on resourcemanagement computer system 106 inFIG. 1 .Communication module 234 may be configured to permit communication between the various modules oflocal scanning tool 220,memory 210, andlocal storage device 202; and between the components ofhost computer system 200 and external computer systems connected to thehost computer system 200 overnetwork 120. - In these illustrative examples,
monitoring module 236 is a monitoring program and may be configured to monitor group oftasks 212 running onhost computer system 200. Further,monitoring module 236 monitors performance for group oftasks 212. Still further,monitoring module 236 may monitor group oftasks 212 to identify performance information for use of a set of computer resources by group oftasks 212. For example, performance information for the use of a set of computer resources by group oftasks 212 may include a value indicating how many times a port of a network service was used by group oftasks 212, an amount of data sent over a port of a network service by group oftasks 212, and any other performance information suitable for identifying a use of a set of computer resources by group oftasks 212. In this illustrative example, the set of computer resources is a set of network services. Performance information identified by monitoringmodule 236 is added to the results of each local scan and likewise forwarded by forwardingmodule 232. In this manner,monitoring module 236 may aide in determining whether group oftasks 212 using a set of resources is an attack. Although the illustrative examples are directed toward processes in the form of tasks, other examples may be applied other than tasks. With other processes, a running process list may be generated in a similar fashion to runningtask list 213. For example, runningtask list 213 may be a running list of processes. - With reference now to
FIG. 3 , an illustration of a remote scanning computer system is depicted in accordance with an illustrative embodiment. Remotescanning computer system 300 is an example of an implementation for remotescanning computer system 104 shown inFIG. 1 . Remotescanning computer system 300 may have deployed thereon a computer program product, namely,remote scanning tool 320 for opening connections withhost computer system 200 inFIG. 2 and for conducting a remote scan ofhost computer system 200 for detecting malicious use of computer resources by a task onhost computer system 200 in accordance with an illustrative embodiment.Remote scanning tool 320 is run within remotescanning computer system 300. - As depicted, remote
scanning computer system 300 is a computer system or server that includes central processing unit (CPU) 304,local storage device 302,user interface 306,network interface 308, andmemory 310.Central processing unit 304 may be configured generally to perform operations within remotescanning computer system 300.User interface 306, in one embodiment, may be configured to allow a user to interact with remotescanning computer system 300, including allowing input of commands and data for conducting a remote scan ofhost computer system 200 from remotescanning computer system 300.Network interface 308 may be configured, in one embodiment, to facilitate network communications of remotescanning computer system 300 over a communications channel ofnetwork 120 inFIG. 1 . - In an illustrative example,
memory 310 may be configured to store group oftasks 312. In one embodiment, as shown inFIG. 3 ,remote scanning tool 320 runs on remotescanning computer system 300 and comprises a logic unit that contains a plurality of modules configured to functionally perform the steps for a remote scan ofhost computer system 200 for enumerating a remote inventory of tasks onhost computer system 200. In an embodiment, shown inFIG. 3 ,remote scanning tool 320 running on remotescanning computer system 300 includesinitiation module 322,tasks module 324,network services module 326,list generation module 328, results logmodule 330, forwardingmodule 332, andcommunication module 334. - In an illustrative example,
initiation module 322 may be configured to initiate a remote scan of all ports ofhost computer system 200 overnetwork 120 usingnetwork interface 308.Tasks module 324 may be configured to enumerate or list all tasks onhost computer system 200. Further,network services module 326 may be configured to enumerate or list all network services in use by tasks onhost computer system 200. In an embodiment,list generation module 328 may be configured to generate a list enumerating the tasks onhost computer system 200 and the network services in use by the tasks.Results log module 330 may be configured to generate remote scan results log 314 as a log of the results of the remote scan conducted onhost computer system 200. In an embodiment, remote scan results log 314 generated by results logmodule 330 is stored inlocal storage device 302 within remotescanning computer system 300.Forwarding module 332 may be configured to forward the results of the remote scan performed onhost computer system 200 to another computer system comprising a resource management tool for evaluating the remote scan results received from remotescanning computer system 300.Communication module 334 may be configured to permit communication between the various modules ofremote scanning tool 320,memory 310, andlocal storage device 302; and between the components of remotescanning computer system 200 and external computer systems connected to remotescanning computer system 300 overnetwork 120. - Turning to
FIG. 4 , an illustration of a resource management computer system is depicted in accordance with an illustrative embodiment. Resourcemanagement computer system 400 is an example of an implementation for resourcemanagement computer system 106 shown inFIG. 1 . Resourcemanagement computer system 400 may have deployed thereon a computer program product, namely,resource management tool 420 for analyzing a use of computer resources by a task onhost computer system 200 inFIG. 2 to detect if the use is malicious in accordance with an illustrative embodiment. - As depicted, resource
management computer system 400 is a computer system or server that includes a central processing unit (CPU) 404,local storage device 402,user interface 406,network interface 408, andmemory 410.Central processing unit 404 may be configured generally to perform operations within resourcemanagement computer system 400.User interface 406, in one embodiment, may be configured to allow a user to interact with resourcemanagement computer system 400, including allowing input of commands and data for collecting and analyzing scan results from two or more computer systems or servers, such ashost computer system 200 inFIG. 2 and remotescanning computer system 300 inFIG. 3 . -
Network interface 408 may be configured, in one embodiment, to facilitate network communications of resourcemanagement computer system 400 over communications channels ofnetwork 120 inFIG. 1 . In an illustrative embodiment,memory 410 may be configured to store group oftasks 412. In one embodiment, as shown inFIG. 4 ,resource management tool 420 runs on resourcemanagement computer system 400 and comprises a logic unit that contains a plurality of modules configured to functionally perform the necessary steps for an evaluation of the scanning results received from bothhost computer system 200 and remotescanning computer system 300 for detecting presence of any malicious tasks onhost computer system 200. In this illustrative example,resource management tool 420 running on resourcemanagement computer system 400 includes receivingmodule 422,comparison module 424,evaluation module 426,flag module 428,report generation module 430, andcommunication module 432. - In an illustrative example, receiving
module 422 may be configured to receive both local scan results fromhost computer system 200 that is suspected of having malicious tasks thereon and remote scan results fromremote computer system 300 that conducts a remote scan ofhost computer system 200 overnetwork 120.Comparison module 424 may be configured to compare a list of tasks onhost computer system 200 generated as a result of a local scan performed with a list of tasks onhost computer system 200 generated as a result of a remote scan performed onhost computer system 200. In an embodiment,comparison module 424 also compares a list of network services in use by tasks onhost computer system 200 from a local scan onhost computer system 200 with a set of network services in use by tasks onhost computer system 200 from a remote scan ofhost computer system 200 by remotescanning computer system 300. - Further,
evaluation module 426 may be configured to evaluate the comparisons conducted bycomparison module 424 in order to generate correlation results stored in correlation results log 414 instorage device 402. These comparisons may be made to determine whether any discrepancies are found between the local scanning results and the remote scanning results.Flag module 428 may be configured to flaghost computer system 200 as suspected of having malicious tasks thereon as a result of the evaluation conducted byevaluation module 426.Report generation module 430 may be configured to generate a discrepancy report enumerating the discrepancies found between the local scan and the remote scan as evaluated byevaluation module 426. In an embodiment,communication module 432 may be configured to permit communication between the various modules ofresource management tool 420,memory 410,local storage device 402; and between the components of resourcemanagement computer system 400 and external computer systems, such as, for example,host computer system 200 inFIG. 2 and remotescanning computer system 300 inFIG. 3 , which are connected to resourcemanagement computer system 400 overnetwork 120. - In these illustrative example,
policy 434 may be defined in resourcemanagement computer system 400.Policy 434 is a set of rules.Policy 434 may be used byresource management tool 420 to process uses of computer resources by tasks collected by local and remote computer systems.Policy 434 may be used byresource management tool 420 for identifying malicious tasks inhost computer system 200 to improve performance of the computer resources by tasks. For example,policy 434 may be for requesting user identification regarding a task's use of computer resources, wherein the policy has a rule for determining if a challenge question is used, as well as a rule for determining duration of time for waiting for a user response. For example, the challenge question may be a random question, such as asking the user to identify a word in a picture. - In these illustrative examples, a use of computer resources by a task in
host computer system 200 may be flagged as valid or as invalid. For example, a use of computer resources by a task inhost computer system 200 may be flagged as valid when the use is validated by a user, when the use is expected, and/or when the use has been previously reported as valid Likewise, a use of computer resources by a task inhost computer system 200 may be flagged as invalid when the use is not validated by a user, when the use is not expected, and/or when the use has been previously reported as invalid. - In these illustrative examples, when a use of computer resources by a task on
host computer system 200 is identified as valid or invalid forhost computer system 200, a description for the use of computer resources by a task is stored inlocal storage device 402. For example, the description for the use may include an identification of the task, an identification ofhost computer system 200, a time when the use occurred, performance information for the use, and whether the use is valid or invalid. In these illustrative examples, an identification ofhost computer system 200 may include a configuration forhost computer system 200. For example, a configuration forhost computer system 200 may include a version of an operating system installed onhost computer system 200, a group of tasks installed inhost computer system 200, and any other configuration information forhost computer system 200, as well as for computer resources used by tasks inhost computer system 200. For example, storing the description for the use may include making a record of the description for the use inlocal storage device 402. - Referring now to
FIG. 5 , an illustration of a computer resource management environment for detecting malicious use of computer resources by a task on a host computer system is depicted in accordance with an illustrative embodiment. As depicted,computer resource environment 502 within computerresource management environment 500 includeshost computer system 504 that has deployed thereon a computer program product, namely,local scanning tool 514, which implements an illustrative embodiment for performing a local scan ofhost computer system 504.Host computer system 504 is an example ofhost computer system 102 inFIG. 1 . The computer program product comprises a computer-readable or computer-usable storage medium, which provides program code namely,local scanning tool 514, for use by, or in connection with, a computer server or computer system or any instruction execution system. - As depicted,
local scanning tool 514 is loaded intomemory 512 ofhost computer system 504 frommedia 516.Media 516 is a computer-readable storage medium such as, a magnetic tape or disk, optical media, DVD, memory stick, semiconductor memory, etc.Local scanning tool 514 may also be downloaded from a server vianetwork adapter card 518 for installation onhost computer system 504. As depicted, computerresource management environment 500 includescomputer resource environment 502, which represents any type of computer architecture that is maintained in a secure environment (i.e., for which access control is enforced). Further,computer resource environment 502 includeshost computer system 504 that includeslocal scanning tool 514. It should be understood, however, that although not shown, other hardware and software components (e.g., additional computer systems, routers, firewalls, etc.) could be included incomputer resource environment 502. - In general,
host computer system 504 is connected via a network tocomputer resource environment 502.Host computer system 504 includeslocal scanning tool 514 that is run onhost computer system 504 for performing a local scan of the tasks and network services in use by the tasks onhost computer system 504. Further,host computer system 504 can communicate with remotescanning computer system 530, which is an example of remotescanning computer system 104 inFIG. 1 and resourcemanagement computer system 540, which is an example of resourcemanagement computer system 106 inFIG. 1 overnetwork 120 inFIG. 1 . For instance, remotescanning computer system 530 can interface withcomputer resource environment 502 in order to run a remote scan ofhost computer system 504 usingremote scanning tool 534 that is loaded into thememory 533 of remotescanning computer system 530 frommedia 532.Media 532 is a computer-readable storage medium, such as a magnetic tape or disk, optical media, DVD, memory stick, semiconductor memory, etc.Remote scanning tool 534 may also be downloaded from a server vianetwork adapter card 554 for installation on remotescanning computer system 530. Similarly, resourcemanagement computer system 540 communicates withcomputer resource environment 502 overnetwork 120 to retrieve results of the local scan performed byhost computer system 504. Further, resourcemanagement computer system 540 communicates with remotescanning computer system 530 to retrieve results of the remote scan ofhost computer system 504 performed by remotescanning computer system 530. - In an illustrative example,
resource management tool 544 is loaded intomemory 543 of resourcemanagement computer system 540 frommedia 542.Media 542 is a computer-readable storage medium such as, a magnetic tape or disk, optical media, DVD, memory stick, semiconductor memory, etc.Resource management tool 544 may also be downloaded from a server vianetwork adapter card 556 for installation on resourcemanagement computer system 540. As such, resourcemanagement computer system 540 receives results of the local scan conducted byhost computer system 504 and the results of the remote scan conducted by remotescanning computer system 530 ofhost computer system 504. Resourcemanagement computer system 540 also compares the local scan results with the remote scan results to determine whetherhost computer system 504 has a malicious task. In the illustrative examples,computer resource environment 502 may be owned and/or operated by a party such asprovider 526, or by an independent entity. Regardless, use ofcomputer resource environment 502 and the teachings described herein could be offered to the parties on a subscription or fee-basis. -
Host computer system 504 is shown to include central processing unit (CPU) 506,memory 512,bus 510, and input/output (I/O) interfaces 508. Further,host computer system 504 is shown communicating withexternal devices 520 andstorage system 522. In general,central processing unit 506 executes computer program code stored inmemory 512, such aslocal scanning tool 514, to determine the tasks currently onhost computer system 504 and the network services currently in use by the tasks.External devices 520 may be resources. In an embodiment, local scanning results 524 produced by the execution oflocal scanning tool 514 is stored instorage system 522. Although not shown inFIG. 5 , remotescanning computer system 530 and resourcemanagement computer system 540 each include a central processing unit, a memory, a bus, and input/output (I/O) interfaces, similar tohost computer system 504. Further, remotescanning computer system 530 communicates with external devices (not shown) andstorage system 536, whereas, resourcemanagement computer system 540 communicates with I/O devices and resources (not shown) andstorage system 546. - In general,
central processing unit 506 executes computer program code stored inmemory 512, such aslocal scanning tool 514, to determine the tasks currently onhost computer system 504 and the network services in use by the tasks, whereas, the central processing unit of remotescanning computer system 530 executes computer program code stored inmemory 533, such asremote scanning tool 534, to determine the tasks onhost computer system 504 and the network services in use by the tasks. Similarly, the central processing unit of resourcemanagement computer system 540 executes computer program code stored inmemory 543, such asresource management tool 544, to determine any discrepancies between the local scan and the remote scan ofhost computer system 504. - Further, in an illustrative example, local scanning results 524 produced by the execution of
local scanning tool 514 running onhost computer system 504 is stored instorage system 522, whereas, remote scanning results 538 produced by the execution ofremote scanning tool 534 is stored instorage system 536 of remotescanning computer system 530, and whereas, correlation results 548 performed by the execution ofresource management tool 544 on resourcemanagement computer system 540 is stored instorage system 546 of resourcemanagement computer system 540. - While executing
local scanning tool 514 onhost computer system 504,central processing unit 506 reads and writes data, such aslocal scanning results 524 instorage system 522, to and frommemory 512.Central processing unit 506 reads and writes data to and fromstorage system 522 using I/O interfaces 508. Alternatively,local scanning tool 514 may storelocal scanning results 524 inmemory 512.Bus 510 provides a communication link between each of the components in computerresource management environment 500, such that information can be communicated withincomputer resource environment 502. -
External devices 520 can comprise any devices (e.g., keyboard, pointing device, display, etc.) that enable a user to interact with computerresource management environment 500 and any devices (e.g., network card, modem, etc.) that enablehost computer system 504 to communicate with one or more other computing devices, such as, remotescanning computer system 530 and resourcemanagement computer system 540. Similarly, while executing theremote scanning tool 534 on remotescanning computer system 530, the central processing unit reads and writes data to and frommemory 533 andstorage system 536, such asremote scanning results 538 instorage system 536. - Alternatively,
remote scanning tool 534 may storeremote scanning results 538 inmemory 533. Further, while executingresource management tool 544 on resourcemanagement computer system 540, the central processing unit can read and write data, to and frommemory 543 andstorage system 546, such as correlation results 548 instorage system 546. Alternatively,resource management tool 544 may store correlation results 548 inmemory 543. -
Computer resource environment 502 is only an illustrative example of many various types of computer environments for implementing an illustrative embodiment. For example, in one illustrative embodiment,computer resource environment 502 may comprise two or more server groups or clusters that communicate over a network to perform the various process steps of an illustrative embodiment. - Moreover, computer
resource management environment 500 is only one representative example of many various possible environments that can include numerous combinations of hardware and software. To this extent, in other embodiments, computerresource management environment 500 can comprise any specific purpose computing-article of manufacture-comprising hardware and computer-program code for performing specific functions, any computing-article of manufacture that comprises a combination of specific purpose and general purpose hardware/software, or the like. - In each case, the program code and hardware can be created using standard programming and engineering techniques, respectively. Moreover,
central processing unit 506 may comprise a single central processing unit, or be distributed across one or more processing units in one or more locations, such as, for example, on a client and server. Similarly,memory 512 andstorage system 522 can comprise any combination of various types of data storage and/or transmission media that reside at one or more physical locations. Further, I/O interfaces 508 can comprise any system for exchanging information withexternal devices 520. Still further, it is understood that one or more additional components (e.g., system software, math co-processing unit, etc.) not shown inFIG. 5 can be included in computerresource management environment 500. -
Storage systems storage systems storage systems resource management environment 500. - Turning to
FIG. 6 , a flowchart of a process implemented bylocal scanning tool 220 inhost computer system 200 inFIG. 2 for locally detecting presence of malicious use of computer resources by tasks onhost computer system 200 which is depicted in accordance with an illustrative embodiment. The process begins by runninglocal scanning tool 220 locally on “suspicious”host computer system 200 suspected of having a malicious task thereon in order to obtain a list of tasks onhost computer system 200 and a list of network services in use by the tasks (step 602). Next,local scanning tool 220 enumerates a group of tasks on “suspicious”host computer system 200 and a set of respective network services in use by the group of tasks (step 604). The group of tasks onhost computer system 200 and the set of network services in use by the tasks is sent to another computer system on the network, namely, resourcemanagement computer system 400 runningresource management tool 420 inFIG. 4 for comparison and evaluation oflocal scanning tool 220 results (step 606) with the process terminating thereafter. - Reference is now made to
FIG. 7 , a flowchart of a process for detecting presence of malicious use of computer resources by tasks onhost computer system 200 which is depicted in accordance with an illustrative embodiment. The process illustrated may be implemented inremote scanning tool 320 in remotescanning computer system 300 inFIG. 3 that is remote tohost computer system 200 inFIG. 2 . - The process begins by running
remote scanning tool 320 on remotescanning computer system 300 for remotely connecting tohost computer system 200 over a network and to obtain a list of ports on the “suspicious” host computer system and a status for each port (step 702). For example, the status for each port may include whether the port is open and/or active inhost computer system 200. Next, the process connectsremote scanning tool 320 tohost computer system 200 to enumerate and list currently running tasks and their respective ports in use in host computer system 200 (step 704). These ports and tasks are visible over the network. In an embodiment, remotescanning computer system 300 attempts to connect to each open port onhost computer system 200 and perform an interrogation of the tasks running onhost computer system 200 to determine whether the tasks are known, common tasks, or both. As such, a list of open, closed and filtered ports is obtained by remotescanning computer system 300. Further, the remote scan results listing the enumerated ports and tasks visible over the network are sent to runningresource management tool 420 in resourcemanagement computer system 400 inFIG. 4 for comparison and evaluation of the scanning results (step 706) with the process terminating thereafter. - With reference now to
FIG. 8 , a flowchart of a process implemented inresource management tool 420 in resourcemanagement computer system 400 inFIG. 4 for detecting presence of malicious tasks running on the host computer system is depicted in accordance with an illustrative embodiment. -
Resource management tool 420 receives local scanning results fromhost computer system 200 inFIG. 2 (step 802).Resource management tool 420 receives remote scanning results from remotescanning computer system 300 inFIG. 3 (step 804). Resourcemanagement computer system 400 runningresource management tool 420 compares the local lists, corresponding to the local scan, and the remote lists, corresponding to the remote scan, of tasks running onhost computer system 200 and network services in use by the tasks for any discrepancies (step 806). Any discrepancies found represent hidden tasks and hidden uses of network services and are indicative of unwanted software or malware. -
Resource management tool 420 determines whether a discrepancy is present between the local scan and the remote scan (step 810). Ifresource management tool 420 determines that no discrepancy is present between the local scan and the remote scan, the process indicates that no suspicious network discrepancies are found (step 812) with the process terminating thereafter. With reference again to step 810, ifresource management tool 420 determines that one or more discrepancies have been found between the local scan and the remote scan, thenresource management tool 420 documents and logs the discrepancies (step 814). For example, if suspicious network discrepancies between the local scan list and the remote scan list are found, they will be logged. - In this example, suspicious network discrepancies may include a use of one or more ports by a group of tasks that is in the remote scan list, but which is not in the local scan list. In this example, the absence of the use in the local scan list indicates that the use identified in the remote scan list is associated with a malicious group of tasks running on
host computer system 200. - Next,
resource management tool 420 flags or identifies the “suspicious” host computer system as possibly infected (step 816). Further tests are run on the flaggedhost computer system 200 and the flaggedhost computer system 200 is monitored to evaluate the nature of the discrepancy found and the malicious task currently installed on the host computer system 200 (step 818), ending the process. In an embodiment,host computer system 200 has deployed thereon one or more test programs for testing and/or evaluating any discrepancies found byresource management tool 420. It will be understood by one skilled in the art that the testing and evaluation ofhost computer system 200 can be manually implemented, as necessary, by an administrator. - With reference now to
FIG. 9 , a flowchart of a process for identifying malware, and in particular, for detecting if a use of a set of computer resources by a group of tasks onhost computer system 200 inFIG. 2 is a new use indicating an attack is present inhost computer system 200, is depicted in accordance with an illustrative embodiment. The steps inFIG. 9 may be implemented in computerresource management environment 100 inFIG. 1 . In particular, the steps may be implemented in software, hardware, or a combination of the two in resourcemanagement computer system 400 inFIG. 4 . Still more particularly, the steps may be implemented byresource management tool 420 in resourcemanagement computer system 400. - The process begins by retrieving information about a first use of a set of computer resources by a group of tasks running in
host computer system 200 having a first configuration (step 902). In these illustrative examples, information about a use of the set of computer resources by a group of tasks running onhost computer system 200 may be retrieved from correlation results log 414 inFIG. 4 . For example, information about a use of the set of computer resources by a group of tasks running onhost computer system 200 retrieved from correlation results log 414 may include a discrepancy found between local scanning results and remote scanning results, as described herein. - The process then identifies a second use of a corresponding set of computer resources by a corresponding group of tasks running on a set of host computer systems having a second configuration that matches the first configuration for host computer system 200 (step 904). In these illustrative examples, a “match” with reference to configurations for host computer systems, means 100% of the configuration of the host computers are the same. In these illustrative examples, match may also mean “close enough”, such as 95%, 80% or some other percentage suitable for identifying that two host computer systems are similar host computer systems.
- The process then determines whether a difference in resource use is present between the first use of the set of computer resources and the second use of the corresponding set of computer resources in the set of host computer systems (step 906). As depicted (step 908), if the difference in resource use is not present the process identifies that the first use “matches” the second use, wherein “matching” the use means if the second use is an attack, the first use is also an attack (step 910), with the process terminating thereafter.
- Otherwise, if the difference in resource use is present, the process identifies a history of prior uses for the corresponding set of computer resources in the set of host computer systems (step 912). For example, the history of prior uses for the corresponding set of computer resources in the set of host computer systems may be retrieved from
local storage device 402 inFIG. 4 having stored therein an identification of a group of tasks, an indication of a set of computer resources, an identification of a host computer system, and whether the use is an attack for each use. - The process then determines whether the difference in resource use is new based on the history of prior uses for the corresponding set of computer resources (step 914). Next, a determination is made as to whether the difference in resource use is new (step 916). If the difference in resource use is new, the process identifies that the first use of the set of computer resources may indicate that an attack is present in host computer system 200 (step 918), with the process terminating thereafter. Otherwise, if the difference in resource use is not new, the process identifies that the difference in resource use is not new, wherein not new means if the difference is known to be an attack, the first use is also an attack (step 920), with the process terminating thereafter.
- With reference now to
FIG. 10 , a flowchart of a process for identifying malware, and in particular, for requesting a user to determine whether a new use of a set of computer resources by a group of tasks onhost computer system 200 inFIG. 2 is an attack, is depicted in accordance with an illustrative embodiment. The steps inFIG. 10 may be implemented in computerresource management environment 100 inFIG. 1 . In particular, the steps may be implemented in software, hardware, or a combination of the two in resourcemanagement computer system 400 inFIG. 4 . Still more particularly, the steps may be implemented byresource management tool 420 in resourcemanagement computer system 400. - The process begins by retrieving a new use of a set of computer resources by a group of tasks running in host computer system 200 (step 1002). The process then retrieves
policy 434 inFIG. 4 (step 1004). In this illustrative example,policy 434 is used by the process for requesting user identification regarding a group of tasks' use of a set of computer resources. In this illustrative example,policy 434 has a rule for determining if a challenge question is used and a rule for determining duration of time for waiting for a user response. - The process sends a request to a user of
host computer system 200 to determine whether the group of tasks' new use is an attack, wherein the request also includes a challenge question based on the policy (step 1006). In this example, a rule inpolicy 434 indicates a challenge question must be used when requesting a user to identify if a group of tasks' use is an attack. In other examples, a rule inpolicy 434 may select a particular type of challenge question to be used. For example, a rule inpolicy 434 may select a particular type of challenge question for a particular use of computer resources, for a particular group of tasks, for a particular set of computer resources, and for a particular host computer system. - As depicted (step 1008), if the user did not respond to the request within the duration of time according to the policy the process identifies the new use of the set of computer resources by the group of tasks running in
host computer system 200 as a possible attack based on not receiving a user response within the duration of time (step 1010), with the process terminating thereafter. Otherwise, if the user did respond to the request within the duration of time according to the policy, the process continues to step 1012. - Next, the process determines whether the user responded to the challenge question correctly (step 1012). If the user responded to the challenge question correctly the process identifies the new use of the set of computer resources by the group of tasks running in
host computer system 200 as a possible attack based on not receiving a correct user response to the challenge question (step 1014), with the process terminating thereafter. Otherwise, if the user did respond to the challenge question correctly, the process stores the user's response as an indication of whether the new use by the group of tasks is an attack in host computer system 200 (step 1016), with the process terminating thereafter. - With reference now to
FIG. 11 , a flowchart of a process for identifying malware, and in particular, for detecting if a new use of a set of computer resources by a group of tasks onhost computer system 200 inFIG. 2 corresponds with a change scheduled to occur at a particular time, is depicted in accordance with an illustrative embodiment. The steps inFIG. 11 may be implemented in computerresource management environment 100 inFIG. 1 . In particular, the steps may be implemented in software, hardware, or a combination of the two in resourcemanagement computer system 400 inFIG. 4 . Still more particularly, the steps may be implemented byresource management tool 420 in resourcemanagement computer system 400. - The process begins by retrieving a new use of a set of computer resources by a group of tasks running in host computer system 200 (step 1102). The process then identifies a time when the new use occurred (step 1104). In these illustrative examples, a new use of a set of computer resources by a group of tasks running on
host computer 200 and a time for the new use may be retrieved from correlation results log 414 inFIG. 4 . For example, information about a new use of the set of computer resources by a group of tasks running onhost computer 200 retrieved from correlation results log 414 may include a discrepancy found between local scanning results and remote scanning results, as described herein. - The process identifies a set of changes having a scheduled time for each change, wherein the set of changes are for the group of tasks running on
host computer system 200 and for the set of computer resources in use by the group of tasks running on host computer system 200 (step 1106). A “set” as used herein with reference to changes, means one or more changes. For example, “set of changes” is one or more changes. Set of changes can be changes to software, hardware, or a combination of the two. In these illustrative examples, set of changes may be updates to programs onhost computer system 200 or on another computer system innetwork 120 inFIG. 1 . - The process then determines whether the time when the new use occurred corresponds to the scheduled time for at least one of the changes in the set of changes (step 1108). A determination is made as to whether the time when the new use occurred correspond to the scheduled time for at least one of the changes in the set of changes (step 1110). If the time when the new use occurred does not correspond to a scheduled time for at least one of the changes in the set of changes the process identifies the new use of the set of computer resources by the group of tasks running in
host computer system 200 as a possible attack (step 1112), with the process terminating thereafter. Otherwise, if the time when the use occurred does match the scheduled time for at least one of the changes in the set of changes the process identifies that the new use of the set of computer resources by the group of tasks running inhost computer system 200 may not be an attack because it corresponds to the scheduled time (step 1114), with the process terminating thereafter. - With reference now to
FIG. 12 , a flowchart of a process for identifying malware and, in particular, for detecting if a port currently in use inhost computer system 200 is assigned to a process inhost computer system 200 inFIG. 2 , in accordance with an illustrative embodiment. The steps inFIG. 12 may be implemented in computerresource management environment 100 inFIG. 1 . In particular, the steps may be implemented in software, hardware, or a combination of the two in resourcemanagement computer system 400 inFIG. 4 . Still more particularly, the steps may be implemented byresource management tool 420 in resourcemanagement computer system 400. - The process begins by identifying processes in a running process list on host computer system 200 (step 1202). In these illustrative examples, a running process list may be running
task list 213 inFIG. 2 . The process identifies ports assigned to the processes in the running process list on host computer system 200 (step 1204). The process then identifies ports in use in host computer system 200 (step 1206). In these illustrative examples, information about a use of the ports by processes running onhost computer system 200 may be retrieved from correlation results log 414 inFIG. 4 . For example, information about a use of ports by processes running onhost computer system 200 retrieved from correlation results log 414 may include a discrepancy found between local scanning results and remote scanning results, as described herein. - The process determines whether a port is in use in
host computer system 200 that is unassigned to the processes in the running process list in host computer system 200 (step 1208). A determination is made as to whether any one of the ports that is currently in use in the host computer system is not assigned to any of the processes in the running process list in host computer system 200 (step 1210). If each of the ports that is currently in use is assigned to any of the processes in the running process list inhost computer system 200, the process makes a record that the attack is absent in host computer system 200 (step 1212), with the process terminating thereafter. Otherwise, if one of the ports is currently in use but not assigned to any of the processes in the running process list inhost computer system 200, the process makes a record that a hidden, running process is present as a characteristic of an attack in host computer system 200 (step 1214), with the process terminating thereafter. Instep 1214, additional investigation may be made to determine whether a false positive has occurred in identifying an attack as being present. The additional investigation may be made using steps such as those illustrated inFIGS. 9-11 . - Accordingly, the one or more illustrative embodiments provide a system, method and a program product for detecting the presence of malicious tasks running on a computer system or host computer system, in accordance with an embodiment of the invention. The illustrative embodiments may interrogate the host computer system both locally and remotely. Local interrogation could be conducted through a locally installed agent (user or administrator-level access), or through standard network service interrogation techniques that typically require administrative-level access. Remote service interrogation of the host computer system can be conducted with standard port scanning and vulnerability scanning technologies. The device labeled “suspicious host” may or may not originally be “suspicious” and the interrogation of the host may be a routine/scheduled event for preemptive detection of malicious tasks and unwanted tasks installed on host computer systems. Local host enumeration of network services could be achieved through the use of default operating system query tools, or custom tools. The remote scanning tool may use standard remote port scanning techniques to identify open ports and enumerate the tasks behind them. The resource management tool could be a stand-alone device, part of a resource management toolset, or part of an additional software suite whose purpose is to act upon any discrepancies identified between “local scanning results” and “remote scanning results.”
- The descriptions of the various embodiments of the present disclosure have been presented for purposes of illustration, but are not intended to be exhaustive or limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiment. The terminology used herein was chosen to best explain the principles of the embodiment, the practical application or technical improvement over technologies found in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed here.
- The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be performed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Claims (15)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/547,359 US9251345B2 (en) | 2008-10-29 | 2014-11-19 | Detecting malicious use of computer resources by tasks running on a computer system |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/261,026 US20100107257A1 (en) | 2008-10-29 | 2008-10-29 | System, method and program product for detecting presence of malicious software running on a computer system |
US13/315,895 US8931096B2 (en) | 2008-10-29 | 2011-12-09 | Detecting malicious use of computer resources by tasks running on a computer system |
US14/547,359 US9251345B2 (en) | 2008-10-29 | 2014-11-19 | Detecting malicious use of computer resources by tasks running on a computer system |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/315,895 Continuation US8931096B2 (en) | 2008-10-29 | 2011-12-09 | Detecting malicious use of computer resources by tasks running on a computer system |
Publications (2)
Publication Number | Publication Date |
---|---|
US20150074812A1 true US20150074812A1 (en) | 2015-03-12 |
US9251345B2 US9251345B2 (en) | 2016-02-02 |
Family
ID=42118823
Family Applications (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/261,026 Abandoned US20100107257A1 (en) | 2008-10-29 | 2008-10-29 | System, method and program product for detecting presence of malicious software running on a computer system |
US13/315,895 Active 2028-12-03 US8931096B2 (en) | 2008-10-29 | 2011-12-09 | Detecting malicious use of computer resources by tasks running on a computer system |
US14/547,359 Active US9251345B2 (en) | 2008-10-29 | 2014-11-19 | Detecting malicious use of computer resources by tasks running on a computer system |
Family Applications Before (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/261,026 Abandoned US20100107257A1 (en) | 2008-10-29 | 2008-10-29 | System, method and program product for detecting presence of malicious software running on a computer system |
US13/315,895 Active 2028-12-03 US8931096B2 (en) | 2008-10-29 | 2011-12-09 | Detecting malicious use of computer resources by tasks running on a computer system |
Country Status (7)
Country | Link |
---|---|
US (3) | US20100107257A1 (en) |
EP (1) | EP2294786B1 (en) |
JP (1) | JP5490127B2 (en) |
KR (1) | KR20110076976A (en) |
CN (1) | CN102171987A (en) |
CA (1) | CA2719495C (en) |
WO (1) | WO2010049273A2 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106878240A (en) * | 2015-12-14 | 2017-06-20 | 阿里巴巴集团控股有限公司 | Zombie host recognition methods and device |
US10176438B2 (en) | 2015-06-19 | 2019-01-08 | Arizona Board Of Regents On Behalf Of Arizona State University | Systems and methods for data driven malware task identification |
Families Citing this family (55)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070169192A1 (en) * | 2005-12-23 | 2007-07-19 | Reflex Security, Inc. | Detection of system compromise by per-process network modeling |
US20100107257A1 (en) * | 2008-10-29 | 2010-04-29 | International Business Machines Corporation | System, method and program product for detecting presence of malicious software running on a computer system |
US8918876B2 (en) * | 2009-04-30 | 2014-12-23 | Telefonaktiebolaget L M Ericsson (Publ) | Deviating behaviour of a user terminal |
US8898774B2 (en) * | 2009-06-25 | 2014-11-25 | Accenture Global Services Limited | Method and system for scanning a computer system for sensitive content |
WO2011027352A1 (en) * | 2009-09-03 | 2011-03-10 | Mcafee, Inc. | Network access control |
US9521154B2 (en) | 2011-08-03 | 2016-12-13 | Hewlett Packard Enterprise Development Lp | Detecting suspicious network activity using flow sampling |
CN103164652B (en) * | 2011-12-15 | 2015-07-29 | 深圳市腾讯计算机系统有限公司 | Wooden horse scan method and system |
US20130160129A1 (en) * | 2011-12-19 | 2013-06-20 | Verizon Patent And Licensing Inc. | System security evaluation |
US9473346B2 (en) * | 2011-12-23 | 2016-10-18 | Firebind, Inc. | System and method for network path validation |
US9659173B2 (en) * | 2012-01-31 | 2017-05-23 | International Business Machines Corporation | Method for detecting a malware |
US9032520B2 (en) * | 2012-02-22 | 2015-05-12 | iScanOnline, Inc. | Remote security self-assessment framework |
US9298494B2 (en) | 2012-05-14 | 2016-03-29 | Qualcomm Incorporated | Collaborative learning for efficient behavioral analysis in networked mobile device |
US9202047B2 (en) | 2012-05-14 | 2015-12-01 | Qualcomm Incorporated | System, apparatus, and method for adaptive observation of mobile device behavior |
US9324034B2 (en) | 2012-05-14 | 2016-04-26 | Qualcomm Incorporated | On-device real-time behavior analyzer |
US9609456B2 (en) | 2012-05-14 | 2017-03-28 | Qualcomm Incorporated | Methods, devices, and systems for communicating behavioral analysis information |
US9690635B2 (en) | 2012-05-14 | 2017-06-27 | Qualcomm Incorporated | Communicating behavior information in a mobile computing device |
US9330257B2 (en) | 2012-08-15 | 2016-05-03 | Qualcomm Incorporated | Adaptive observation of behavioral features on a mobile device |
US9495537B2 (en) | 2012-08-15 | 2016-11-15 | Qualcomm Incorporated | Adaptive observation of behavioral features on a mobile device |
US9319897B2 (en) | 2012-08-15 | 2016-04-19 | Qualcomm Incorporated | Secure behavior analysis over trusted execution environment |
US9747440B2 (en) | 2012-08-15 | 2017-08-29 | Qualcomm Incorporated | On-line behavioral analysis engine in mobile device with multiple analyzer model providers |
US8949995B2 (en) * | 2012-09-18 | 2015-02-03 | International Business Machines Corporation | Certifying server side web applications against security vulnerabilities |
CN103268446A (en) * | 2012-12-28 | 2013-08-28 | 武汉安天信息技术有限责任公司 | Mobile phone malicious code detection method based on SD (Secure Digital) card driver and system thereof |
US9684870B2 (en) | 2013-01-02 | 2017-06-20 | Qualcomm Incorporated | Methods and systems of using boosted decision stumps and joint feature selection and culling algorithms for the efficient classification of mobile device behaviors |
US10089582B2 (en) | 2013-01-02 | 2018-10-02 | Qualcomm Incorporated | Using normalized confidence values for classifying mobile device behaviors |
US9686023B2 (en) | 2013-01-02 | 2017-06-20 | Qualcomm Incorporated | Methods and systems of dynamically generating and using device-specific and device-state-specific classifier models for the efficient classification of mobile device behaviors |
EP2946332B1 (en) * | 2013-01-16 | 2018-06-13 | Palo Alto Networks (Israel Analytics) Ltd | Automated forensics of computer systems using behavioral intelligence |
US9742559B2 (en) | 2013-01-22 | 2017-08-22 | Qualcomm Incorporated | Inter-module authentication for securing application execution integrity within a computing device |
US9491187B2 (en) | 2013-02-15 | 2016-11-08 | Qualcomm Incorporated | APIs for obtaining device-specific behavior classifier models from the cloud |
US9817742B2 (en) * | 2013-06-25 | 2017-11-14 | Dell International L.L.C. | Detecting hardware and software problems in remote systems |
US10158660B1 (en) | 2013-10-17 | 2018-12-18 | Tripwire, Inc. | Dynamic vulnerability correlation |
KR101451323B1 (en) * | 2014-02-10 | 2014-10-16 | 주식회사 락인컴퍼니 | Application security system, security server, security client apparatus, and recording medium |
US9384034B2 (en) * | 2014-03-28 | 2016-07-05 | International Business Machines Corporation | Detecting operation of a virtual machine |
US9756062B2 (en) * | 2014-08-27 | 2017-09-05 | General Electric Company | Collaborative infrastructure supporting cyber-security analytics in industrial networks |
US9432393B2 (en) * | 2015-02-03 | 2016-08-30 | Cisco Technology, Inc. | Global clustering of incidents based on malware similarity and online trustfulness |
CN104751058B (en) * | 2015-03-16 | 2018-08-31 | 联想(北京)有限公司 | A kind of file scanning method and electronic equipment |
US10075461B2 (en) | 2015-05-31 | 2018-09-11 | Palo Alto Networks (Israel Analytics) Ltd. | Detection of anomalous administrative actions |
US10686829B2 (en) | 2016-09-05 | 2020-06-16 | Palo Alto Networks (Israel Analytics) Ltd. | Identifying changes in use of user credentials |
WO2019123661A1 (en) * | 2017-12-22 | 2019-06-27 | 三菱電機株式会社 | In-vehicle device, authentication method, and authentication program |
CN108282489B (en) * | 2018-02-07 | 2020-01-31 | 网宿科技股份有限公司 | vulnerability scanning method, server and system |
US10708755B2 (en) * | 2018-04-03 | 2020-07-07 | Servicenow, Inc. | Discovery and service mapping of serverless resources |
US10999304B2 (en) | 2018-04-11 | 2021-05-04 | Palo Alto Networks (Israel Analytics) Ltd. | Bind shell attack detection |
CN109039812B (en) * | 2018-07-20 | 2021-05-11 | 深圳前海微众银行股份有限公司 | Port detection method, system and computer readable storage medium |
US11233703B2 (en) * | 2018-11-20 | 2022-01-25 | Cisco Technology, Inc. | Extending encrypted traffic analytics with traffic flow data |
US11184376B2 (en) | 2019-01-30 | 2021-11-23 | Palo Alto Networks (Israel Analytics) Ltd. | Port scan detection using destination profiles |
US11184378B2 (en) | 2019-01-30 | 2021-11-23 | Palo Alto Networks (Israel Analytics) Ltd. | Scanner probe detection |
US11070569B2 (en) | 2019-01-30 | 2021-07-20 | Palo Alto Networks (Israel Analytics) Ltd. | Detecting outlier pairs of scanned ports |
US11316872B2 (en) | 2019-01-30 | 2022-04-26 | Palo Alto Networks (Israel Analytics) Ltd. | Malicious port scan detection using port profiles |
US11184377B2 (en) | 2019-01-30 | 2021-11-23 | Palo Alto Networks (Israel Analytics) Ltd. | Malicious port scan detection using source profiles |
KR102327026B1 (en) | 2019-02-07 | 2021-11-16 | 고려대학교 산학협력단 | Device and method for learning assembly code and detecting software weakness based on graph convolution network |
US11277426B1 (en) * | 2019-09-13 | 2022-03-15 | Rapid7, Inc. | Anomalous asset detection based on open ports |
US11012492B1 (en) | 2019-12-26 | 2021-05-18 | Palo Alto Networks (Israel Analytics) Ltd. | Human activity detection in computing device transmissions |
US11509680B2 (en) | 2020-09-30 | 2022-11-22 | Palo Alto Networks (Israel Analytics) Ltd. | Classification of cyber-alerts into security incidents |
US20220394050A1 (en) * | 2021-06-08 | 2022-12-08 | EMC IP Holding Company LLC | Managing initiator identities |
US11916930B2 (en) * | 2021-06-29 | 2024-02-27 | Acronis International Gmbh | Non-invasive virus scanning using remote access |
US11799880B2 (en) | 2022-01-10 | 2023-10-24 | Palo Alto Networks (Israel Analytics) Ltd. | Network adaptive alert prioritization system |
Citations (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6216173B1 (en) * | 1998-02-03 | 2001-04-10 | Redbox Technologies Limited | Method and apparatus for content processing and routing |
US20040030912A1 (en) * | 2001-05-09 | 2004-02-12 | Merkle James A. | Systems and methods for the prevention of unauthorized use and manipulation of digital content |
US20050086526A1 (en) * | 2003-10-17 | 2005-04-21 | Panda Software S.L. (Sociedad Unipersonal) | Computer implemented method providing software virus infection information in real time |
US20060203736A1 (en) * | 2005-03-10 | 2006-09-14 | Stsn General Holdings Inc. | Real-time mobile user network operations center |
US20070079178A1 (en) * | 2005-10-05 | 2007-04-05 | Computer Associates Think, Inc. | Discovery of kernel rootkits by detecting hidden information |
US20070198656A1 (en) * | 2006-01-24 | 2007-08-23 | Citrix Systems, Inc. | Methods and servers for establishing a connection between a client system and a virtual machine executing in a terminal services session and hosting a requested computing environment |
US20070240212A1 (en) * | 2006-03-30 | 2007-10-11 | Check Point Software Technologies, Inc. | System and Methodology Protecting Against Key Logger Spyware |
US20080066145A1 (en) * | 2006-09-08 | 2008-03-13 | Ibahn General Holdings, Inc. | Monitoring and reporting policy compliance of home networks |
US20080320594A1 (en) * | 2007-03-19 | 2008-12-25 | Xuxian Jiang | Malware Detector |
US20090007269A1 (en) * | 2007-06-29 | 2009-01-01 | Network Security Technologies, Inc. | Using imported data from security tools |
US20090044277A1 (en) * | 2002-05-29 | 2009-02-12 | Bellsouth Intellectual Property Corporation | Non-invasive monitoring of the effectiveness of electronic security services |
US7523502B1 (en) * | 2006-09-21 | 2009-04-21 | Symantec Corporation | Distributed anti-malware |
US7665136B1 (en) * | 2005-11-09 | 2010-02-16 | Symantec Corporation | Method and apparatus for detecting hidden network communication channels of rootkit tools |
US7685254B2 (en) * | 2003-06-10 | 2010-03-23 | Pandya Ashish A | Runtime adaptable search processor |
US20100107257A1 (en) * | 2008-10-29 | 2010-04-29 | International Business Machines Corporation | System, method and program product for detecting presence of malicious software running on a computer system |
US7934259B1 (en) * | 2005-11-29 | 2011-04-26 | Symantec Corporation | Stealth threat detection |
Family Cites Families (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7418732B2 (en) * | 2002-06-26 | 2008-08-26 | Microsoft Corporation | Network switches for detection and prevention of virus attacks |
JP3767581B2 (en) | 2003-06-13 | 2006-04-19 | ヤマハ株式会社 | Typing skill acquisition support device, word learning acquisition support device, server terminal, and program |
JP2005025269A (en) * | 2003-06-30 | 2005-01-27 | Toshiba Corp | Network relay device and method for inspecting security |
WO2006071985A2 (en) * | 2004-12-29 | 2006-07-06 | Alert Logic, Inc. | Threat scoring system and method for intrusion detection security networks |
US7979889B2 (en) * | 2005-01-07 | 2011-07-12 | Cisco Technology, Inc. | Methods and apparatus providing security to computer systems and networks |
US7793347B2 (en) * | 2005-02-07 | 2010-09-07 | Rozas Guillermo J | Method and system for validating a computer system |
US7475135B2 (en) * | 2005-03-31 | 2009-01-06 | International Business Machines Corporation | Systems and methods for event detection |
US7874001B2 (en) * | 2005-07-15 | 2011-01-18 | Microsoft Corporation | Detecting user-mode rootkits |
US8413245B2 (en) * | 2005-12-16 | 2013-04-02 | Cisco Technology, Inc. | Methods and apparatus providing computer and network security for polymorphic attacks |
KR100799302B1 (en) * | 2006-06-21 | 2008-01-29 | 한국전자통신연구원 | A system and method for detection of a hidden process using system event |
US7945955B2 (en) * | 2006-12-18 | 2011-05-17 | Quick Heal Technologies Private Limited | Virus detection in mobile devices having insufficient resources to execute virus detection software |
US8302196B2 (en) | 2007-03-20 | 2012-10-30 | Microsoft Corporation | Combining assessment models and client targeting to identify network security vulnerabilities |
-
2008
- 2008-10-29 US US12/261,026 patent/US20100107257A1/en not_active Abandoned
-
2009
- 2009-10-14 JP JP2011533666A patent/JP5490127B2/en active Active
- 2009-10-14 CN CN2009801386798A patent/CN102171987A/en active Pending
- 2009-10-14 CA CA2719495A patent/CA2719495C/en active Active
- 2009-10-14 KR KR1020117009680A patent/KR20110076976A/en not_active Application Discontinuation
- 2009-10-14 WO PCT/EP2009/063396 patent/WO2010049273A2/en active Application Filing
- 2009-10-14 EP EP09752766.7A patent/EP2294786B1/en active Active
-
2011
- 2011-12-09 US US13/315,895 patent/US8931096B2/en active Active
-
2014
- 2014-11-19 US US14/547,359 patent/US9251345B2/en active Active
Patent Citations (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6216173B1 (en) * | 1998-02-03 | 2001-04-10 | Redbox Technologies Limited | Method and apparatus for content processing and routing |
US20080178299A1 (en) * | 2001-05-09 | 2008-07-24 | Ecd Systems, Inc. | Systems and methods for the prevention of unauthorized use and manipulation of digital content |
US20040030912A1 (en) * | 2001-05-09 | 2004-02-12 | Merkle James A. | Systems and methods for the prevention of unauthorized use and manipulation of digital content |
US20090044277A1 (en) * | 2002-05-29 | 2009-02-12 | Bellsouth Intellectual Property Corporation | Non-invasive monitoring of the effectiveness of electronic security services |
US7685254B2 (en) * | 2003-06-10 | 2010-03-23 | Pandya Ashish A | Runtime adaptable search processor |
US20050086526A1 (en) * | 2003-10-17 | 2005-04-21 | Panda Software S.L. (Sociedad Unipersonal) | Computer implemented method providing software virus infection information in real time |
US20060203736A1 (en) * | 2005-03-10 | 2006-09-14 | Stsn General Holdings Inc. | Real-time mobile user network operations center |
US20070079178A1 (en) * | 2005-10-05 | 2007-04-05 | Computer Associates Think, Inc. | Discovery of kernel rootkits by detecting hidden information |
US7665136B1 (en) * | 2005-11-09 | 2010-02-16 | Symantec Corporation | Method and apparatus for detecting hidden network communication channels of rootkit tools |
US7934259B1 (en) * | 2005-11-29 | 2011-04-26 | Symantec Corporation | Stealth threat detection |
US20070198656A1 (en) * | 2006-01-24 | 2007-08-23 | Citrix Systems, Inc. | Methods and servers for establishing a connection between a client system and a virtual machine executing in a terminal services session and hosting a requested computing environment |
US20070240212A1 (en) * | 2006-03-30 | 2007-10-11 | Check Point Software Technologies, Inc. | System and Methodology Protecting Against Key Logger Spyware |
US20080066145A1 (en) * | 2006-09-08 | 2008-03-13 | Ibahn General Holdings, Inc. | Monitoring and reporting policy compliance of home networks |
US7523502B1 (en) * | 2006-09-21 | 2009-04-21 | Symantec Corporation | Distributed anti-malware |
US20080320594A1 (en) * | 2007-03-19 | 2008-12-25 | Xuxian Jiang | Malware Detector |
US20090007269A1 (en) * | 2007-06-29 | 2009-01-01 | Network Security Technologies, Inc. | Using imported data from security tools |
US20100107257A1 (en) * | 2008-10-29 | 2010-04-29 | International Business Machines Corporation | System, method and program product for detecting presence of malicious software running on a computer system |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10176438B2 (en) | 2015-06-19 | 2019-01-08 | Arizona Board Of Regents On Behalf Of Arizona State University | Systems and methods for data driven malware task identification |
CN106878240A (en) * | 2015-12-14 | 2017-06-20 | 阿里巴巴集团控股有限公司 | Zombie host recognition methods and device |
Also Published As
Publication number | Publication date |
---|---|
WO2010049273A2 (en) | 2010-05-06 |
CN102171987A (en) | 2011-08-31 |
EP2294786B1 (en) | 2016-07-27 |
EP2294786A2 (en) | 2011-03-16 |
JP5490127B2 (en) | 2014-05-14 |
US8931096B2 (en) | 2015-01-06 |
US20100107257A1 (en) | 2010-04-29 |
WO2010049273A3 (en) | 2010-09-16 |
JP2012507094A (en) | 2012-03-22 |
CA2719495A1 (en) | 2010-05-06 |
US20120084862A1 (en) | 2012-04-05 |
KR20110076976A (en) | 2011-07-06 |
CA2719495C (en) | 2018-07-17 |
US9251345B2 (en) | 2016-02-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9251345B2 (en) | Detecting malicious use of computer resources by tasks running on a computer system | |
US10701091B1 (en) | System and method for verifying a cyberthreat | |
US11687653B2 (en) | Methods and apparatus for identifying and removing malicious applications | |
US20240054234A1 (en) | Methods and systems for hardware and firmware security monitoring | |
US8555385B1 (en) | Techniques for behavior based malware analysis | |
US8621624B2 (en) | Apparatus and method for preventing anomaly of application program | |
US8955135B2 (en) | Malicious code infection cause-and-effect analysis | |
US8516586B1 (en) | Classification of unknown computer network traffic | |
US20120005755A1 (en) | Infection inspection system, infection inspection method, storage medium, and program | |
WO2001084270A2 (en) | Method and system for intrusion detection in a computer network | |
JP2015531508A (en) | System and method for automated memory and thread execution anomaly detection in computer networks | |
KR102156379B1 (en) | Agentless Vulnerability Diagnosis System through Information Collection Process and Its Method | |
US20090276852A1 (en) | Statistical worm discovery within a security information management architecture | |
US11785034B2 (en) | Detecting security risks based on open ports | |
US20180288075A1 (en) | Communication destination determination device, communication destination determination method, and recording medium | |
US11863577B1 (en) | Data collection and analytics pipeline for cybersecurity | |
JP2019186686A (en) | Network monitoring device, network monitoring program, and network monitoring method | |
US20090276853A1 (en) | Filtering intrusion detection system events on a single host | |
JPWO2019180989A1 (en) | Hearing systems, threat response systems, methods and programs | |
US11296868B1 (en) | Methods and system for combating cyber threats using a related object sequence hash | |
US7590897B2 (en) | Device, method and computer program product for responding to error events | |
US20220198012A1 (en) | Method and System for Security Management on a Mobile Storage Device | |
JP2005165541A (en) | Damage determining device, damage analysis device, damage determining system, damage determining program, and damage analysis program | |
CN114844691A (en) | Data processing method and device, electronic equipment and storage medium | |
CN117692158A (en) | Method, system, storage medium and computer equipment for identifying abnormal business access behaviors |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:FREEMAN, ROBERT G.;OLLMANN, GUNTER D.;SIGNING DATES FROM 20141117 TO 20141119;REEL/FRAME:034208/0203 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 4 |
|
AS | Assignment |
Owner name: KYNDRYL, INC., NEW YORK Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:INTERNATIONAL BUSINESS MACHINES CORPORATION;REEL/FRAME:057885/0644 Effective date: 20210930 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 8 |